[Samba] Computer Management - Share Security - No Read Access

Marco Shmerykowsky marco at sce-engineers.com
Thu Feb 21 15:39:47 UTC 2019 

On 2019-02-20 7:12 am, Rowland Penny wrote:
> On Wed, 20 Feb 2019 11:02:55 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
>> On Tue, 19 Feb 2019 22:05:12 +0000
>> Rowland Penny via samba <samba at lists.samba.org> wrote:
>> 
>> > OK, it is late here, but just in case something has changed, I will
>> > set up a new Debian 9 VM tommorrow, install the distro Samba
>> > Packages and follow the Samba wiki page.
>> >
>> > Can you confirm that you are using Samba from Debian 9.
>> > You seem to be using '/server' as the shared directory, is this
>> > correct ?
>> > What Windows version are you using ? (I know you may have already
>> > said, but it saves me looking it up)
>> >
>> > Rowland
>> >
>> 
>> OK, it (as I expected) works, I will clean up my notes and send the OP
>> a copy.
>> 
>> Rowland

Sorry to be a pain on this, but something just refuses to work
as I would expect.  I've tried the following:

1) remove the share definition from smb.conf
2) Restart smbd
3) Remove (delete) the share directory from Linux
4) Check "Computer Management" on windows - Share is Gone
5) mkdir -p /server/share-files
6) chown root:"Domain Admins" /server/share-files
7) chmod 0770 /server/share-files
8) getfacl /server/share-files
    -> permissions match 0770
8) Restore (un-comment) share definition in smb.conf
    -> [share-files]
    ->     path = /server/share-files
    ->     read only = no
9) smbcontrol all reload-config
10) restart smbd
11) Go into "Computer Management" on windows & get to
     "Shares" on machine253

Here is what I find odd.  The "Share permissions" tab lists
one of the groups I previously defined.  It is not a windows
"built-in" group.  I created it using samba-tool on the AD.

If I removed the share and then recreated it, I would expect
a 'default' listing of groups.  Instead I seem to be getting a
previous "historical" group listing if I reuse the same
share names or directory names.

Two more things:

After all of this clicking and changing, I do not get the
'+' on the directory permissions.  It still reads as a
basic 0770.  It seems having this in the share is critical
to normal behavior.  At least once that appeared on my
other server - those shares started exhibiting normal
behavior.

Second, I've discovered that if I add the "Everyone" group
to the "Share Permissions" then suddenly I can modify
the Security tab.  If I remove the "Everyone group" then
it eventually reverts to giving me the following error:

"You must have Read permissions to view the properties
  of this object" where the object in question
is "\\Machine253\share.

Nothing is appearing in the log.smbd file after the last

"daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to 
serve connections "

Thoughts?

More information about the samba mailing list