[Samba] Computer Management - Share Security - No Read Access

Rowland Penny rpenny at samba.org
Thu Feb 21 15:57:19 UTC 2019 

On Thu, 21 Feb 2019 10:39:47 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:

> 
> On 2019-02-20 7:12 am, Rowland Penny wrote:
> > On Wed, 20 Feb 2019 11:02:55 +0000
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> > 
> >> On Tue, 19 Feb 2019 22:05:12 +0000
> >> Rowland Penny via samba <samba at lists.samba.org> wrote:
> >> 
> >> > OK, it is late here, but just in case something has changed, I
> >> > will set up a new Debian 9 VM tommorrow, install the distro Samba
> >> > Packages and follow the Samba wiki page.
> >> >
> >> > Can you confirm that you are using Samba from Debian 9.
> >> > You seem to be using '/server' as the shared directory, is this
> >> > correct ?
> >> > What Windows version are you using ? (I know you may have already
> >> > said, but it saves me looking it up)
> >> >
> >> > Rowland
> >> >
> >> 
> >> OK, it (as I expected) works, I will clean up my notes and send
> >> the OP a copy.
> >> 
> >> Rowland
> 
> Sorry to be a pain on this, but something just refuses to work
> as I would expect.  I've tried the following:
> 
> 1) remove the share definition from smb.conf
> 2) Restart smbd
> 3) Remove (delete) the share directory from Linux
> 4) Check "Computer Management" on windows - Share is Gone
> 5) mkdir -p /server/share-files
> 6) chown root:"Domain Admins" /server/share-files
> 7) chmod 0770 /server/share-files
> 8) getfacl /server/share-files
>     -> permissions match 0770
> 8) Restore (un-comment) share definition in smb.conf
>     -> [share-files]
>     ->     path = /server/share-files
>     ->     read only = no
> 9) smbcontrol all reload-config
> 10) restart smbd

If you do '9', you don't need to do '10'


> 11) Go into "Computer Management" on windows & get to
>      "Shares" on machine253
> 
> Here is what I find odd.  The "Share permissions" tab lists
> one of the groups I previously defined.  It is not a windows
> "built-in" group.  I created it using samba-tool on the AD.

Ignore the 'shares' tab, just use the 'security' tab, for which a
better name would be 'NTFS permissions'

> 
> If I removed the share and then recreated it, I would expect
> a 'default' listing of groups.  Instead I seem to be getting a
> previous "historical" group listing if I reuse the same
> share names or directory names.
> 
> Two more things:
> 
> After all of this clicking and changing, I do not get the
> '+' on the directory permissions.  It still reads as a
> basic 0770.  It seems having this in the share is critical
> to normal behavior.  At least once that appeared on my
> other server - those shares started exhibiting normal
> behavior.
> 
> Second, I've discovered that if I add the "Everyone" group
> to the "Share Permissions" then suddenly I can modify
> the Security tab.  If I remove the "Everyone group" then
> it eventually reverts to giving me the following error:

As I said above, ignore the 'Share' tab, leave 'Everyone' there.
I go now to update the wiki page (again).

Rowland

More information about the samba mailing list