[Samba] Computer Management - Share Security - No Read Access
Marco Shmerykowsky
marco at sce-engineers.com
Thu Feb 21 17:11:55 UTC 2019
On 2019-02-21 11:30 am, Rowland Penny via samba wrote:
> On Thu, 21 Feb 2019 11:12:05 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>
>>
>> On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
>> > On Thu, 21 Feb 2019 10:39:47 -0500
>> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>> >
>> >>
>> >> On 2019-02-20 7:12 am, Rowland Penny wrote:
>> >> > On Wed, 20 Feb 2019 11:02:55 +0000
>> >> > Rowland Penny via samba <samba at lists.samba.org> wrote:
>> >> >
>> >> >> On Tue, 19 Feb 2019 22:05:12 +0000
>> >> >> Rowland Penny via samba <samba at lists.samba.org> wrote:
>> >> >>
>> >> >> > OK, it is late here, but just in case something has changed, I
>> >> >> > will set up a new Debian 9 VM tommorrow, install the distro
>> >> >> > Samba Packages and follow the Samba wiki page.
>> >> >> >
>> >> >> > Can you confirm that you are using Samba from Debian 9.
>> >> >> > You seem to be using '/server' as the shared directory, is
>> >> >> > this correct ?
>> >> >> > What Windows version are you using ? (I know you may have
>> >> >> > already said, but it saves me looking it up)
>> >> >> >
>> >> >> > Rowland
>> >> >> >
>> >> >>
>> >> >> OK, it (as I expected) works, I will clean up my notes and send
>> >> >> the OP a copy.
>> >> >>
>> >> >> Rowland
>> >>
>> >> Sorry to be a pain on this, but something just refuses to work
>> >> as I would expect. I've tried the following:
>> >>
>> >> 1) remove the share definition from smb.conf
>> >> 2) Restart smbd
>> >> 3) Remove (delete) the share directory from Linux
>> >> 4) Check "Computer Management" on windows - Share is Gone
>> >> 5) mkdir -p /server/share-files
>> >> 6) chown root:"Domain Admins" /server/share-files
>> >> 7) chmod 0770 /server/share-files
>> >> 8) getfacl /server/share-files
>> >> -> permissions match 0770
>> >> 8) Restore (un-comment) share definition in smb.conf
>> >> -> [share-files]
>> >> -> path = /server/share-files
>> >> -> read only = no
>> >> 9) smbcontrol all reload-config
>> >> 10) restart smbd
>> >
>> > If you do '9', you don't need to do '10'
>>
>> Expect both would achieve same. Figured it wouldn't hurt.
>
> Well yes, it doesn't hurt, you just don't need to do both ;-)
>
>>
>> >
>> >> 11) Go into "Computer Management" on windows & get to
>> >> "Shares" on machine253
>> >>
>> >> Here is what I find odd. The "Share permissions" tab lists
>> >> one of the groups I previously defined. It is not a windows
>> >> "built-in" group. I created it using samba-tool on the AD.
>> >
>> > Ignore the 'shares' tab, just use the 'security' tab, for which a
>> > better name would be 'NTFS permissions'
>> >
>> >>
>> >> If I removed the share and then recreated it, I would expect
>> >> a 'default' listing of groups. Instead I seem to be getting a
>> >> previous "historical" group listing if I reuse the same
>> >> share names or directory names.
>> >>
>> >> Two more things:
>> >>
>> >> After all of this clicking and changing, I do not get the
>> >> '+' on the directory permissions. It still reads as a
>> >> basic 0770. It seems having this in the share is critical
>> >> to normal behavior. At least once that appeared on my
>> >> other server - those shares started exhibiting normal
>> >> behavior.
>> >>
>> >> Second, I've discovered that if I add the "Everyone" group
>> >> to the "Share Permissions" then suddenly I can modify
>> >> the Security tab. If I remove the "Everyone group" then
>> >> it eventually reverts to giving me the following error:
>> >
>> > As I said above, ignore the 'Share' tab, leave 'Everyone' there.
>> > I go now to update the wiki page (again).
>
> I have updated the wiki page.
>
>>
>> Just discovered that although I can access "Security" (ie NTFS
>> Permissions)
>> I get "Failed to enumerate objects in the containet. Access is denied"
>> when I attempt to apply the changes.
>>
>
> If you followed document I sent you, it should work, but it looks like
> you are not following it fully, I never mentioned the 'Share
> Permissions' tab.
The "Share Permissions" was on the wiki.
With respect to your document, I'm following it to the letter.
Can't see anything I missed:
root at sce253:/# service smbd stop
root at sce253:/# rmdir /server/share-files
root at sce253:/# rmdir /server/users
root at sce253:/# cd ..
root at sce253:/# rmdir server
root at sce253:/# mkdir -p /server/share-files
root at sce253:/# mkdir -p /server/users
root at sce253:/# chown root:"Domain Admins" /server/share-files
root at sce253:/# chown root:"Domain Admins" /server/users
root at sce253:/# chmod 0770 /server/share-files
root at sce253:/# chmod 0770 /server/users
root at sce253:/# ls -l /server
total 8
drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 share-files
drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 users
root at sce253:/# getfacl /server/share-files
getfacl: Removing leading '/' from absolute path names
# file: server/share-files
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---
root at sce253:/# getfacl /server/users
getfacl: Removing leading '/' from absolute path names
# file: server/users
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---
root at sce253:/# service smbd start
** Computer Management -> Connect to other computer
** Click thru connection warning
** Open Shared Folders
** right click "shared-files" & select properties
** Select Security Tab
** Hit 'ADD' and find and add 'programs' group. (Completes)
** Grant Full Control
** Hit OK
** Click "Yes" to remotely reset permissions
******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
Can't see where I could be deviating
More information about the samba
mailing list