[Samba] Computer Management - Share Security - No Read Access

Rowland Penny rpenny at samba.org
Tue Feb 19 20:47:22 UTC 2019


On Tue, 19 Feb 2019 15:25:51 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:

> 
> On 2019-02-19 3:05 pm, Rowland Penny via samba wrote:
> > On Tue, 19 Feb 2019 14:44:05 -0500
> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> > 
> >> 
> >> >>          # user administrator workaround
> >> >>          username map = /etc/samba/user.map
> >> >
> >> > Just to check, what is in the user.map ?
> >> 
> >> root at machine253:/etc/samba# cat user.map
> >> !root = INTERNAL\Administrator INTERNAL\administrator Administrator
> >> administrator
> > 
> > That should work.
> > 
> >> >
> >> > If you run 'getent group Domain\ Admins', do you get
> >> > 'Administrator' listed as a group member e.g.
> >> >
> >> > domain_admins:x:10512:administrator,rowland,.........
> >> 
> >> root at machine253:/etc/samba# getent group Domain\ Admins
> >> domain admins:x:10512:administrator
> > 
> > If you are logged into the Windows machine as
> > 'INTERNAL\Administrator' it should work, but if you are using
> > another Domain user, add that user to the 'Domain Admins' group.
> > 
> >> 
> >> >
> >> >>
> >> >> ** Create Share & Set permissions
> >> >>
> >> >> root at sce253:/# ls -la /server
> >> >> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
> >> >> programs
> >> >
> >> > Something seems to have happened, note the '+' sign at the end of
> >> > the Unix permissions, what does 'getfacl /server' show ?
> >> 
> >> root at machine253:/etc/samba# getfacl /server
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: server
> >> # owner: root
> >> # group: root
> >> user::rwx
> >> group::r-x
> >> other::r-x
> > 
> > Something is going on here, 'ls' shows 'root:domain admins' as the
> > owner:group with 0770 permissions, but getfacl shows 'root:root' as
> > owner:group with 0755 permissions
> > 
> >> 
> >> > This is very strange, it should work, are the 'attr' and 'acl'
> >> > packages installed ?
> >> >
> >> > Rowland
> >> 
> >> I ran this command from the Debian section of the
> >> "Distribution specific Package Installation" on the wiki.
> >> 
> >> # apt-get install samba attr winbind libpam-winbind libnss-winbind
> >> libpam-krb5 krb5-config krb5-user
> > 
> > 'acl' is installed by default
> > 
> >> 
> >> Foe it's worth, Group policy is mapping the drives and the
> >> various shares are being restricted to the proper groups.
> >> I can also set folder/directory permissions on the share
> >> by navigating directly to the share using a UNC path.
> > 
> > Strange.
> > 
> >> 
> >> Just know that the last part of the "Setting Share Permissions
> >> and ACL's" on the wiki doesn't allow for anything to be
> >> modified on the 'Security' tab.
> > 
> > It should and I have just updated that wiki page.
> > 
> >> 
> >> Not sure if this is "as designed" or did I do something
> >> which will create problems later.
> > 
> > Double check Unix ownership and permissions on the share directory,
> > that is really the only thing that looks wrong.
> > To remove the ACL's and start again, run:
> 
> What exactly does "START AGAIN" imply? Just chmod?

'ls' shows the correct ownership and Unix permissions:
 
drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13 programs

But 'getfacl' show something different:

getfacl: Removing leading '/' from absolute path names
# file: server
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

So what I am suggesting is that you use 'setfacl' to remove the
extended ACL's, it is the only thing I can see different between my
working system and your non-working system

Rowland




More information about the samba mailing list