[Samba] Computer Management - Share Security - No Read Access

Rowland Penny rpenny at samba.org
Thu Feb 21 16:30:27 UTC 2019 

On Thu, 21 Feb 2019 11:12:05 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:

> 
> On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
> > On Thu, 21 Feb 2019 10:39:47 -0500
> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> > 
> >> 
> >> On 2019-02-20 7:12 am, Rowland Penny wrote:
> >> > On Wed, 20 Feb 2019 11:02:55 +0000
> >> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >> >
> >> >> On Tue, 19 Feb 2019 22:05:12 +0000
> >> >> Rowland Penny via samba <samba at lists.samba.org> wrote:
> >> >>
> >> >> > OK, it is late here, but just in case something has changed, I
> >> >> > will set up a new Debian 9 VM tommorrow, install the distro
> >> >> > Samba Packages and follow the Samba wiki page.
> >> >> >
> >> >> > Can you confirm that you are using Samba from Debian 9.
> >> >> > You seem to be using '/server' as the shared directory, is
> >> >> > this correct ?
> >> >> > What Windows version are you using ? (I know you may have
> >> >> > already said, but it saves me looking it up)
> >> >> >
> >> >> > Rowland
> >> >> >
> >> >>
> >> >> OK, it (as I expected) works, I will clean up my notes and send
> >> >> the OP a copy.
> >> >>
> >> >> Rowland
> >> 
> >> Sorry to be a pain on this, but something just refuses to work
> >> as I would expect.  I've tried the following:
> >> 
> >> 1) remove the share definition from smb.conf
> >> 2) Restart smbd
> >> 3) Remove (delete) the share directory from Linux
> >> 4) Check "Computer Management" on windows - Share is Gone
> >> 5) mkdir -p /server/share-files
> >> 6) chown root:"Domain Admins" /server/share-files
> >> 7) chmod 0770 /server/share-files
> >> 8) getfacl /server/share-files
> >>     -> permissions match 0770
> >> 8) Restore (un-comment) share definition in smb.conf
> >>     -> [share-files]
> >>     ->     path = /server/share-files
> >>     ->     read only = no
> >> 9) smbcontrol all reload-config
> >> 10) restart smbd
> > 
> > If you do '9', you don't need to do '10'
> 
> Expect both would achieve same.  Figured it wouldn't hurt.

Well yes, it doesn't hurt, you just don't need to do both ;-)

> 
> > 
> >> 11) Go into "Computer Management" on windows & get to
> >>      "Shares" on machine253
> >> 
> >> Here is what I find odd.  The "Share permissions" tab lists
> >> one of the groups I previously defined.  It is not a windows
> >> "built-in" group.  I created it using samba-tool on the AD.
> > 
> > Ignore the 'shares' tab, just use the 'security' tab, for which a
> > better name would be 'NTFS permissions'
> > 
> >> 
> >> If I removed the share and then recreated it, I would expect
> >> a 'default' listing of groups.  Instead I seem to be getting a
> >> previous "historical" group listing if I reuse the same
> >> share names or directory names.
> >> 
> >> Two more things:
> >> 
> >> After all of this clicking and changing, I do not get the
> >> '+' on the directory permissions.  It still reads as a
> >> basic 0770.  It seems having this in the share is critical
> >> to normal behavior.  At least once that appeared on my
> >> other server - those shares started exhibiting normal
> >> behavior.
> >> 
> >> Second, I've discovered that if I add the "Everyone" group
> >> to the "Share Permissions" then suddenly I can modify
> >> the Security tab.  If I remove the "Everyone group" then
> >> it eventually reverts to giving me the following error:
> > 
> > As I said above, ignore the 'Share' tab, leave 'Everyone' there.
> > I go now to update the wiki page (again).

I have updated the wiki page.

> 
> Just discovered that although I can access "Security" (ie NTFS 
> Permissions)
> I get "Failed to enumerate objects in the containet. Access is denied"
> when I attempt to apply the changes.
> 

If you followed document I sent you, it should work, but it looks like
you are not following it fully, I never mentioned the 'Share
Permissions' tab.

Rowland

More information about the samba mailing list