[Samba] Computer Management - Share Security - No Read Access

L.P.H. van Belle belle at bazuin.nl
Wed Feb 20 07:43:01 UTC 2019


After you have set the new rights with chmod, yes, then you need to assign the rights again, once, from within windows.
thats how you got the drwxr_xr_x+ . back. 
 
Yes, the root of the share, thats the one often missed. 
 
If you share .. i'll take you Demo as example. 
/srv/samba/Demo.  
 
/srv should never be shared, but you need to have 755 here, as "non-linux users" (ad users), you need to "walk through as other" /srv  (77)  > 5 < ( minimal 1)
Always create a subfolder first and use that one as share.
 
/srv/samba   1770 or 3770 or 3775, this all depends on what /how your going to setup.  
      samba ( the share root) must have "domain admins and/or domain users"  again, depends on setup a bit. 
      And here your "share" acl's also kick in, but if the underlaying filesystem does not allow you to write, you are unable to change anything. 
      I prefer at this point, 3775  3 ( creator group )  ( 7, Administrator, ) ( 7, Domain admins)  (5,  other) 
            you can change the last 5 also to 1.  so only x  right, that allows walk through" in windows.
 
      Now you ready to admin your server, with user Administrator and he with the group members, 
        can setup create new folders and adjust the share acl from within windows. 
 
        Last Note here. /srv/samba if samba is shared here then you need to allow "Domain Admins" to write also on /srv
    a simple test, ! but it kills you current rights, chmod 777 /srv  and try to change the rights.
    Or your unable to adjust from within windows. 
        
 
/srv/samba/Demo about the same as /srv/samba 
    in my opinion, only use 3770 set a "Data_group"  on this folder,  and keep "domain users" as primary group.
    the Data group members are allowed to do anything in the folder but all files/folders get "domain users" as primary group.
        Here i suggest 2 or 3 groups, depends a bit on the use also. 
        Data_group_rw    ( allow read write ) 
        Data_group_r     ( allow read )
    Data_group_Admins    ( full control ) 
        just remember the resulting file/folder right after Demo ( example /srv/samba/Demo/NewFolderHere ) 
    NewFolderHere gets "domain users", which is correct. 
    The Data_groups are only used to allow access or not. 
 
    This is how i mix windows and linux rights and this is also why my NFSv4 works with automounts. 
    
       
I really suggest people to setup a few shares and test this, it wil help you in your setup. 
 
1- use groups as much you can. 
2- Dont assign users for ACL's execpt Administrator.
3- setup a a normal windows server and it just works. 
 
Creator owner/Creator group are always forgotten but the most powerfull groups where it comes to correct rights.. 
 
If you think i was talking in ridles above, let me know, i'll try to make a better example. 
 
 
Greetz, 
 
Louis
 

Van: Marco J Shmerykowsky PE [mailto:marco at sce-engineers.com] 
Verzonden: woensdag 20 februari 2019 4:09
Aan: L.P.H. van Belle; Marco Shmerykowsky via samba
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Computer Management - Share Security - No Read Access



I somehow got one server to behave properly. (I created shares on two different but similarly configured servers).

The difference between the server that 'works' and the one that 'doesn't ' appears to have to do with the assignment of ACL's to the root of the share. In the case of the wiki example, it would be the "Demo" in /srv/samba/Demo. 

The permissions for the properly behaved directory have a '+' at the end of the definition (ex. drwxr_xr_x+). Not sure how I created it tho'
--

Marco J. Shmerykowsky, PE, F.ASCE
marco at sce-engineers.com Shmerykowsky Consulting Engineers
Structural Analysis & Design
102 West 38th Street, 2nd Floor
New York, New York 10018
Tel. (212) 719-9700 Fax. (212) 719-4822
http://www.sce-engineers.com 

On February 19, 2019 6:27:14 PM EST, Marco Shmerykowsky via samba <samba at lists.samba.org> wrote: 
I'm getting an inkling on the problem.

In my OLD WinNT style Domain setup, I copies all my
files to another windows machine. I then setup the
new server and once I established a connection which
I thought was stable, I copied all the files back
to the new server on the AD Domain.

I strongly suspect that the problem has to do with
the resulting ACLs and permissions from copying between
the two domains.



On 2019-02-19 5:30 pm, L.P.H. van Belle wrote:
I suggest you start with :
1770 /server (+ creator owner )
3770 /server/programs ( + creator owner + creator group. )

Then check again with getfacl


Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Marco Shmerykowsky via samba
Verzonden: dinsdag 19 februari 2019 23:13
Aan: Rowland Penny
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Computer Management - Share Security -
No Read Access


On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:
On Tue, 19 Feb 2019 16:13:27 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:


On 2019-02-19 3:47 pm, Rowland Penny via samba wrote:
On Tue, 19 Feb 2019 15:25:51 -0500

What exactly does "START AGAIN" imply? Just chmod?

'ls' shows the correct ownership and Unix permissions:

drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13
programs

But 'getfacl' show something different:

getfacl: Removing leading '/' from absolute path names
# file: server
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

So what I am suggesting is that you use 'setfacl' to
remove the
extended ACL's, it is the only thing I can see
different between
my working system and your non-working system

Rowland

root at machine253:/server# setfacl -b /server/users

root at machine253:/server# chmod 0770 /server/programs
root at machine253:/server# ls -l
total 20
drwxrwx--- 4 root domain admins 4096 Feb 17
19:13 programs


root at machine253:/server# getfacl /server/programs
getfacl: Removing leading '/' from absolute path names
# file: server/programs
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

No Change

When you say 'No Change' I take it you mean that it is still not
working from Windows, because there is a change on the Unix side,
'Domain Admins' now has the required Unix permissions.

Correct. In Computer Manager I can not access anything on the
share except for the share permissions.

I've also been trying to create "user directory" using %LogonUser%
via a group profile. That deosn't seem to be working, but I don't
know if it's related.

One other thing, I cannot remember asking if Apparmor or
Selinux is
installed and enabled.

Rowland

I tried sestatus and apparmor_status and bith returned 'command not
found'
so I assume they're not running. I installed Debian 9
from the LiveCD
with the cinnamon desktop.

OK, it is late here, but just in case something has
changed, I will set
up a new Debian 9 VM tommorrow, install the distro Samba
Packages and
follow the Samba wiki page.

Can you confirm that you are using Samba from Debian 9.
You seem to be using '/server' as the shared directory, is this
correct ?
What Windows version are you using ? (I know you may have
already said,
but it saves me looking it up)

Rowland

Debian 9 -> uname -r -> 4.9.0-8-686

This is the iso I used:
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hy
brid/debian-live-9.8.0-amd64-cinnamon.iso

Windows 10 (version 1803)

The file directory for the various shares is '/server'

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba






More information about the samba mailing list