[Samba] Computer Management - Share Security - No Read Access
Rowland Penny
rpenny at samba.org
Thu Feb 21 15:57:19 UTC 2019
On Thu, 21 Feb 2019 10:39:47 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>
> On 2019-02-20 7:12 am, Rowland Penny wrote:
> > On Wed, 20 Feb 2019 11:02:55 +0000
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> >> On Tue, 19 Feb 2019 22:05:12 +0000
> >> Rowland Penny via samba <samba at lists.samba.org> wrote:
> >>
> >> > OK, it is late here, but just in case something has changed, I
> >> > will set up a new Debian 9 VM tommorrow, install the distro Samba
> >> > Packages and follow the Samba wiki page.
> >> >
> >> > Can you confirm that you are using Samba from Debian 9.
> >> > You seem to be using '/server' as the shared directory, is this
> >> > correct ?
> >> > What Windows version are you using ? (I know you may have already
> >> > said, but it saves me looking it up)
> >> >
> >> > Rowland
> >> >
> >>
> >> OK, it (as I expected) works, I will clean up my notes and send
> >> the OP a copy.
> >>
> >> Rowland
>
> Sorry to be a pain on this, but something just refuses to work
> as I would expect. I've tried the following:
>
> 1) remove the share definition from smb.conf
> 2) Restart smbd
> 3) Remove (delete) the share directory from Linux
> 4) Check "Computer Management" on windows - Share is Gone
> 5) mkdir -p /server/share-files
> 6) chown root:"Domain Admins" /server/share-files
> 7) chmod 0770 /server/share-files
> 8) getfacl /server/share-files
> -> permissions match 0770
> 8) Restore (un-comment) share definition in smb.conf
> -> [share-files]
> -> path = /server/share-files
> -> read only = no
> 9) smbcontrol all reload-config
> 10) restart smbd
If you do '9', you don't need to do '10'
> 11) Go into "Computer Management" on windows & get to
> "Shares" on machine253
>
> Here is what I find odd. The "Share permissions" tab lists
> one of the groups I previously defined. It is not a windows
> "built-in" group. I created it using samba-tool on the AD.
Ignore the 'shares' tab, just use the 'security' tab, for which a
better name would be 'NTFS permissions'
>
> If I removed the share and then recreated it, I would expect
> a 'default' listing of groups. Instead I seem to be getting a
> previous "historical" group listing if I reuse the same
> share names or directory names.
>
> Two more things:
>
> After all of this clicking and changing, I do not get the
> '+' on the directory permissions. It still reads as a
> basic 0770. It seems having this in the share is critical
> to normal behavior. At least once that appeared on my
> other server - those shares started exhibiting normal
> behavior.
>
> Second, I've discovered that if I add the "Everyone" group
> to the "Share Permissions" then suddenly I can modify
> the Security tab. If I remove the "Everyone group" then
> it eventually reverts to giving me the following error:
As I said above, ignore the 'Share' tab, leave 'Everyone' there.
I go now to update the wiki page (again).
Rowland
More information about the samba
mailing list