[Samba] Computer Management - Share Security - No Read Access
Marco Shmerykowsky
marco at sce-engineers.com
Tue Feb 19 20:25:51 UTC 2019
On 2019-02-19 3:05 pm, Rowland Penny via samba wrote:
> On Tue, 19 Feb 2019 14:44:05 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>
>>
>> >> # user administrator workaround
>> >> username map = /etc/samba/user.map
>> >
>> > Just to check, what is in the user.map ?
>>
>> root at machine253:/etc/samba# cat user.map
>> !root = INTERNAL\Administrator INTERNAL\administrator Administrator
>> administrator
>
> That should work.
>
>> >
>> > If you run 'getent group Domain\ Admins', do you get 'Administrator'
>> > listed as a group member e.g.
>> >
>> > domain_admins:x:10512:administrator,rowland,.........
>>
>> root at machine253:/etc/samba# getent group Domain\ Admins
>> domain admins:x:10512:administrator
>
> If you are logged into the Windows machine as 'INTERNAL\Administrator'
> it should work, but if you are using another Domain user, add that user
> to the 'Domain Admins' group.
>
>>
>> >
>> >>
>> >> ** Create Share & Set permissions
>> >>
>> >> root at sce253:/# ls -la /server
>> >> drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13
>> >> programs
>> >
>> > Something seems to have happened, note the '+' sign at the end of
>> > the Unix permissions, what does 'getfacl /server' show ?
>>
>> root at machine253:/etc/samba# getfacl /server
>> getfacl: Removing leading '/' from absolute path names
>> # file: server
>> # owner: root
>> # group: root
>> user::rwx
>> group::r-x
>> other::r-x
>
> Something is going on here, 'ls' shows 'root:domain admins' as the
> owner:group with 0770 permissions, but getfacl shows 'root:root' as
> owner:group with 0755 permissions
>
>>
>> > This is very strange, it should work, are the 'attr' and 'acl'
>> > packages installed ?
>> >
>> > Rowland
>>
>> I ran this command from the Debian section of the
>> "Distribution specific Package Installation" on the wiki.
>>
>> # apt-get install samba attr winbind libpam-winbind libnss-winbind
>> libpam-krb5 krb5-config krb5-user
>
> 'acl' is installed by default
>
>>
>> Foe it's worth, Group policy is mapping the drives and the
>> various shares are being restricted to the proper groups.
>> I can also set folder/directory permissions on the share
>> by navigating directly to the share using a UNC path.
>
> Strange.
>
>>
>> Just know that the last part of the "Setting Share Permissions
>> and ACL's" on the wiki doesn't allow for anything to be
>> modified on the 'Security' tab.
>
> It should and I have just updated that wiki page.
>
>>
>> Not sure if this is "as designed" or did I do something
>> which will create problems later.
>
> Double check Unix ownership and permissions on the share directory,
> that is really the only thing that looks wrong.
> To remove the ACL's and start again, run:
What exactly does "START AGAIN" imply? Just chmod?
>
> setfacl -b path/to/directory
>
> reset the unix permissions as shown on the wiki page and then try again
> from Windows.
>
> Rowland
More information about the samba
mailing list