[Samba] Computer Management - Share Security - No Read Access

Marco Shmerykowsky marco at sce-engineers.com
Tue Feb 19 20:25:51 UTC 2019


On 2019-02-19 3:05 pm, Rowland Penny via samba wrote:
> On Tue, 19 Feb 2019 14:44:05 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
>> 
>> >>          # user administrator workaround
>> >>          username map = /etc/samba/user.map
>> >
>> > Just to check, what is in the user.map ?
>> 
>> root at machine253:/etc/samba# cat user.map
>> !root = INTERNAL\Administrator INTERNAL\administrator Administrator
>> administrator
> 
> That should work.
> 
>> >
>> > If you run 'getent group Domain\ Admins', do you get 'Administrator'
>> > listed as a group member e.g.
>> >
>> > domain_admins:x:10512:administrator,rowland,.........
>> 
>> root at machine253:/etc/samba# getent group Domain\ Admins
>> domain admins:x:10512:administrator
> 
> If you are logged into the Windows machine as 'INTERNAL\Administrator'
> it should work, but if you are using another Domain user, add that user
> to the 'Domain Admins' group.
> 
>> 
>> >
>> >>
>> >> ** Create Share & Set permissions
>> >>
>> >> root at sce253:/# ls -la /server
>> >> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
>> >> programs
>> >
>> > Something seems to have happened, note the '+' sign at the end of
>> > the Unix permissions, what does 'getfacl /server' show ?
>> 
>> root at machine253:/etc/samba# getfacl /server
>> getfacl: Removing leading '/' from absolute path names
>> # file: server
>> # owner: root
>> # group: root
>> user::rwx
>> group::r-x
>> other::r-x
> 
> Something is going on here, 'ls' shows 'root:domain admins' as the
> owner:group with 0770 permissions, but getfacl shows 'root:root' as
> owner:group with 0755 permissions
> 
>> 
>> > This is very strange, it should work, are the 'attr' and 'acl'
>> > packages installed ?
>> >
>> > Rowland
>> 
>> I ran this command from the Debian section of the
>> "Distribution specific Package Installation" on the wiki.
>> 
>> # apt-get install samba attr winbind libpam-winbind libnss-winbind
>> libpam-krb5 krb5-config krb5-user
> 
> 'acl' is installed by default
> 
>> 
>> Foe it's worth, Group policy is mapping the drives and the
>> various shares are being restricted to the proper groups.
>> I can also set folder/directory permissions on the share
>> by navigating directly to the share using a UNC path.
> 
> Strange.
> 
>> 
>> Just know that the last part of the "Setting Share Permissions
>> and ACL's" on the wiki doesn't allow for anything to be
>> modified on the 'Security' tab.
> 
> It should and I have just updated that wiki page.
> 
>> 
>> Not sure if this is "as designed" or did I do something
>> which will create problems later.
> 
> Double check Unix ownership and permissions on the share directory,
> that is really the only thing that looks wrong.
> To remove the ACL's and start again, run:

What exactly does "START AGAIN" imply? Just chmod?

> 
> setfacl -b path/to/directory
> 
> reset the unix permissions as shown on the wiki page and then try again
> from Windows.
> 
> Rowland



More information about the samba mailing list