[Samba] Computer Management - Share Security - No Read Access
Marco Shmerykowsky
marco at sce-engineers.com
Thu Feb 21 15:39:47 UTC 2019
On 2019-02-20 7:12 am, Rowland Penny wrote:
> On Wed, 20 Feb 2019 11:02:55 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
>> On Tue, 19 Feb 2019 22:05:12 +0000
>> Rowland Penny via samba <samba at lists.samba.org> wrote:
>>
>> > OK, it is late here, but just in case something has changed, I will
>> > set up a new Debian 9 VM tommorrow, install the distro Samba
>> > Packages and follow the Samba wiki page.
>> >
>> > Can you confirm that you are using Samba from Debian 9.
>> > You seem to be using '/server' as the shared directory, is this
>> > correct ?
>> > What Windows version are you using ? (I know you may have already
>> > said, but it saves me looking it up)
>> >
>> > Rowland
>> >
>>
>> OK, it (as I expected) works, I will clean up my notes and send the OP
>> a copy.
>>
>> Rowland
Sorry to be a pain on this, but something just refuses to work
as I would expect. I've tried the following:
1) remove the share definition from smb.conf
2) Restart smbd
3) Remove (delete) the share directory from Linux
4) Check "Computer Management" on windows - Share is Gone
5) mkdir -p /server/share-files
6) chown root:"Domain Admins" /server/share-files
7) chmod 0770 /server/share-files
8) getfacl /server/share-files
-> permissions match 0770
8) Restore (un-comment) share definition in smb.conf
-> [share-files]
-> path = /server/share-files
-> read only = no
9) smbcontrol all reload-config
10) restart smbd
11) Go into "Computer Management" on windows & get to
"Shares" on machine253
Here is what I find odd. The "Share permissions" tab lists
one of the groups I previously defined. It is not a windows
"built-in" group. I created it using samba-tool on the AD.
If I removed the share and then recreated it, I would expect
a 'default' listing of groups. Instead I seem to be getting a
previous "historical" group listing if I reuse the same
share names or directory names.
Two more things:
After all of this clicking and changing, I do not get the
'+' on the directory permissions. It still reads as a
basic 0770. It seems having this in the share is critical
to normal behavior. At least once that appeared on my
other server - those shares started exhibiting normal
behavior.
Second, I've discovered that if I add the "Everyone" group
to the "Share Permissions" then suddenly I can modify
the Security tab. If I remove the "Everyone group" then
it eventually reverts to giving me the following error:
"You must have Read permissions to view the properties
of this object" where the object in question
is "\\Machine253\share.
Nothing is appearing in the log.smbd file after the last
"daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections "
Thoughts?
More information about the samba
mailing list