[Samba] Computer Management - Share Security - No Read Access
Rowland Penny
rpenny at samba.org
Thu Feb 21 16:30:27 UTC 2019
On Thu, 21 Feb 2019 11:12:05 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>
> On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
> > On Thu, 21 Feb 2019 10:39:47 -0500
> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> >
> >>
> >> On 2019-02-20 7:12 am, Rowland Penny wrote:
> >> > On Wed, 20 Feb 2019 11:02:55 +0000
> >> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >> >
> >> >> On Tue, 19 Feb 2019 22:05:12 +0000
> >> >> Rowland Penny via samba <samba at lists.samba.org> wrote:
> >> >>
> >> >> > OK, it is late here, but just in case something has changed, I
> >> >> > will set up a new Debian 9 VM tommorrow, install the distro
> >> >> > Samba Packages and follow the Samba wiki page.
> >> >> >
> >> >> > Can you confirm that you are using Samba from Debian 9.
> >> >> > You seem to be using '/server' as the shared directory, is
> >> >> > this correct ?
> >> >> > What Windows version are you using ? (I know you may have
> >> >> > already said, but it saves me looking it up)
> >> >> >
> >> >> > Rowland
> >> >> >
> >> >>
> >> >> OK, it (as I expected) works, I will clean up my notes and send
> >> >> the OP a copy.
> >> >>
> >> >> Rowland
> >>
> >> Sorry to be a pain on this, but something just refuses to work
> >> as I would expect. I've tried the following:
> >>
> >> 1) remove the share definition from smb.conf
> >> 2) Restart smbd
> >> 3) Remove (delete) the share directory from Linux
> >> 4) Check "Computer Management" on windows - Share is Gone
> >> 5) mkdir -p /server/share-files
> >> 6) chown root:"Domain Admins" /server/share-files
> >> 7) chmod 0770 /server/share-files
> >> 8) getfacl /server/share-files
> >> -> permissions match 0770
> >> 8) Restore (un-comment) share definition in smb.conf
> >> -> [share-files]
> >> -> path = /server/share-files
> >> -> read only = no
> >> 9) smbcontrol all reload-config
> >> 10) restart smbd
> >
> > If you do '9', you don't need to do '10'
>
> Expect both would achieve same. Figured it wouldn't hurt.
Well yes, it doesn't hurt, you just don't need to do both ;-)
>
> >
> >> 11) Go into "Computer Management" on windows & get to
> >> "Shares" on machine253
> >>
> >> Here is what I find odd. The "Share permissions" tab lists
> >> one of the groups I previously defined. It is not a windows
> >> "built-in" group. I created it using samba-tool on the AD.
> >
> > Ignore the 'shares' tab, just use the 'security' tab, for which a
> > better name would be 'NTFS permissions'
> >
> >>
> >> If I removed the share and then recreated it, I would expect
> >> a 'default' listing of groups. Instead I seem to be getting a
> >> previous "historical" group listing if I reuse the same
> >> share names or directory names.
> >>
> >> Two more things:
> >>
> >> After all of this clicking and changing, I do not get the
> >> '+' on the directory permissions. It still reads as a
> >> basic 0770. It seems having this in the share is critical
> >> to normal behavior. At least once that appeared on my
> >> other server - those shares started exhibiting normal
> >> behavior.
> >>
> >> Second, I've discovered that if I add the "Everyone" group
> >> to the "Share Permissions" then suddenly I can modify
> >> the Security tab. If I remove the "Everyone group" then
> >> it eventually reverts to giving me the following error:
> >
> > As I said above, ignore the 'Share' tab, leave 'Everyone' there.
> > I go now to update the wiki page (again).
I have updated the wiki page.
>
> Just discovered that although I can access "Security" (ie NTFS
> Permissions)
> I get "Failed to enumerate objects in the containet. Access is denied"
> when I attempt to apply the changes.
>
If you followed document I sent you, it should work, but it looks like
you are not following it fully, I never mentioned the 'Share
Permissions' tab.
Rowland
More information about the samba
mailing list