[Samba] Computer Management - Share Security - No Read Access

Thu Feb 21 16:12:05 UTC 2019

On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
> On Thu, 21 Feb 2019 10:39:47 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
>> 
>> On 2019-02-20 7:12 am, Rowland Penny wrote:
>> > On Wed, 20 Feb 2019 11:02:55 +0000
>> > Rowland Penny via samba <samba at lists.samba.org> wrote:
>> >
>> >> On Tue, 19 Feb 2019 22:05:12 +0000
>> >> Rowland Penny via samba <samba at lists.samba.org> wrote:
>> >>
>> >> > OK, it is late here, but just in case something has changed, I
>> >> > will set up a new Debian 9 VM tommorrow, install the distro Samba
>> >> > Packages and follow the Samba wiki page.
>> >> >
>> >> > Can you confirm that you are using Samba from Debian 9.
>> >> > You seem to be using '/server' as the shared directory, is this
>> >> > correct ?
>> >> > What Windows version are you using ? (I know you may have already
>> >> > said, but it saves me looking it up)
>> >> >
>> >> > Rowland
>> >> >
>> >>
>> >> OK, it (as I expected) works, I will clean up my notes and send
>> >> the OP a copy.
>> >>
>> >> Rowland
>> 
>> Sorry to be a pain on this, but something just refuses to work
>> as I would expect.  I've tried the following:
>> 
>> 1) remove the share definition from smb.conf
>> 2) Restart smbd
>> 3) Remove (delete) the share directory from Linux
>> 4) Check "Computer Management" on windows - Share is Gone
>> 5) mkdir -p /server/share-files
>> 6) chown root:"Domain Admins" /server/share-files
>> 7) chmod 0770 /server/share-files
>> 8) getfacl /server/share-files
>>     -> permissions match 0770
>> 8) Restore (un-comment) share definition in smb.conf
>>     -> [share-files]
>>     ->     path = /server/share-files
>>     ->     read only = no
>> 9) smbcontrol all reload-config
>> 10) restart smbd
> 
> If you do '9', you don't need to do '10'

Expect both would achieve same.  Figured it wouldn't hurt.

> 
>> 11) Go into "Computer Management" on windows & get to
>>      "Shares" on machine253
>> 
>> Here is what I find odd.  The "Share permissions" tab lists
>> one of the groups I previously defined.  It is not a windows
>> "built-in" group.  I created it using samba-tool on the AD.
> 
> Ignore the 'shares' tab, just use the 'security' tab, for which a
> better name would be 'NTFS permissions'
> 
>> 
>> If I removed the share and then recreated it, I would expect
>> a 'default' listing of groups.  Instead I seem to be getting a
>> previous "historical" group listing if I reuse the same
>> share names or directory names.
>> 
>> Two more things:
>> 
>> After all of this clicking and changing, I do not get the
>> '+' on the directory permissions.  It still reads as a
>> basic 0770.  It seems having this in the share is critical
>> to normal behavior.  At least once that appeared on my
>> other server - those shares started exhibiting normal
>> behavior.
>> 
>> Second, I've discovered that if I add the "Everyone" group
>> to the "Share Permissions" then suddenly I can modify
>> the Security tab.  If I remove the "Everyone group" then
>> it eventually reverts to giving me the following error:
> 
> As I said above, ignore the 'Share' tab, leave 'Everyone' there.
> I go now to update the wiki page (again).

Just discovered that although I can access "Security" (ie NTFS 
Permissions)
I get "Failed to enumerate objects in the containet. Access is denied"
when I attempt to apply the changes.