[Samba] Computer Management - Share Security - No Read Access

Marco Shmerykowsky marco at sce-engineers.com
Thu Feb 21 17:26:48 UTC 2019



On 2019-02-21 12:11 pm, Marco Shmerykowsky via samba wrote:
> On 2019-02-21 11:30 am, Rowland Penny via samba wrote:
>> On Thu, 21 Feb 2019 11:12:05 -0500
>> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>> 
>>> 
>>> On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
>>> > On Thu, 21 Feb 2019 10:39:47 -0500
>>> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
>>> >
>>> >>
>>> >> On 2019-02-20 7:12 am, Rowland Penny wrote:
>>> >> > On Wed, 20 Feb 2019 11:02:55 +0000
>>> >> > Rowland Penny via samba <samba at lists.samba.org> wrote:
>>> >> >
>>> >> >> On Tue, 19 Feb 2019 22:05:12 +0000
>>> >> >> Rowland Penny via samba <samba at lists.samba.org> wrote:
>>> >> >>
>>> >> >> > OK, it is late here, but just in case something has changed, I
>>> >> >> > will set up a new Debian 9 VM tommorrow, install the distro
>>> >> >> > Samba Packages and follow the Samba wiki page.
>>> >> >> >
>>> >> >> > Can you confirm that you are using Samba from Debian 9.
>>> >> >> > You seem to be using '/server' as the shared directory, is
>>> >> >> > this correct ?
>>> >> >> > What Windows version are you using ? (I know you may have
>>> >> >> > already said, but it saves me looking it up)
>>> >> >> >
>>> >> >> > Rowland
>>> >> >> >
>>> >> >>
>>> >> >> OK, it (as I expected) works, I will clean up my notes and send
>>> >> >> the OP a copy.
>>> >> >>
>>> >> >> Rowland
>>> >>
>>> >> Sorry to be a pain on this, but something just refuses to work
>>> >> as I would expect.  I've tried the following:
>>> >>
>>> >> 1) remove the share definition from smb.conf
>>> >> 2) Restart smbd
>>> >> 3) Remove (delete) the share directory from Linux
>>> >> 4) Check "Computer Management" on windows - Share is Gone
>>> >> 5) mkdir -p /server/share-files
>>> >> 6) chown root:"Domain Admins" /server/share-files
>>> >> 7) chmod 0770 /server/share-files
>>> >> 8) getfacl /server/share-files
>>> >>     -> permissions match 0770
>>> >> 8) Restore (un-comment) share definition in smb.conf
>>> >>     -> [share-files]
>>> >>     ->     path = /server/share-files
>>> >>     ->     read only = no
>>> >> 9) smbcontrol all reload-config
>>> >> 10) restart smbd
>>> >
>>> > If you do '9', you don't need to do '10'
>>> 
>>> Expect both would achieve same.  Figured it wouldn't hurt.
>> 
>> Well yes, it doesn't hurt, you just don't need to do both ;-)
>> 
>>> 
>>> >
>>> >> 11) Go into "Computer Management" on windows & get to
>>> >>      "Shares" on machine253
>>> >>
>>> >> Here is what I find odd.  The "Share permissions" tab lists
>>> >> one of the groups I previously defined.  It is not a windows
>>> >> "built-in" group.  I created it using samba-tool on the AD.
>>> >
>>> > Ignore the 'shares' tab, just use the 'security' tab, for which a
>>> > better name would be 'NTFS permissions'
>>> >
>>> >>
>>> >> If I removed the share and then recreated it, I would expect
>>> >> a 'default' listing of groups.  Instead I seem to be getting a
>>> >> previous "historical" group listing if I reuse the same
>>> >> share names or directory names.
>>> >>
>>> >> Two more things:
>>> >>
>>> >> After all of this clicking and changing, I do not get the
>>> >> '+' on the directory permissions.  It still reads as a
>>> >> basic 0770.  It seems having this in the share is critical
>>> >> to normal behavior.  At least once that appeared on my
>>> >> other server - those shares started exhibiting normal
>>> >> behavior.
>>> >>
>>> >> Second, I've discovered that if I add the "Everyone" group
>>> >> to the "Share Permissions" then suddenly I can modify
>>> >> the Security tab.  If I remove the "Everyone group" then
>>> >> it eventually reverts to giving me the following error:
>>> >
>>> > As I said above, ignore the 'Share' tab, leave 'Everyone' there.
>>> > I go now to update the wiki page (again).
>> 
>> I have updated the wiki page.
>> 
>>> 
>>> Just discovered that although I can access "Security" (ie NTFS
>>> Permissions)
>>> I get "Failed to enumerate objects in the containet. Access is 
>>> denied"
>>> when I attempt to apply the changes.
>>> 
>> 
>> If you followed document I sent you, it should work, but it looks like
>> you are not following it fully, I never mentioned the 'Share
>> Permissions' tab.
> 
> The "Share Permissions" was on the wiki.
> 
> With respect to your document, I'm following it to the letter.
> Can't see anything I missed:
> 
> root at sce253:/# service smbd stop
> root at sce253:/# rmdir /server/share-files
> root at sce253:/# rmdir /server/users
> root at sce253:/# cd ..
> root at sce253:/# rmdir server
> root at sce253:/# mkdir -p /server/share-files
> root at sce253:/# mkdir -p /server/users
> root at sce253:/# chown root:"Domain Admins" /server/share-files
> root at sce253:/# chown root:"Domain Admins" /server/users
> root at sce253:/# chmod 0770 /server/share-files
> root at sce253:/# chmod 0770 /server/users
> root at sce253:/# ls -l /server
> total 8
> drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 share-files
> drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 users
> root at sce253:/# getfacl /server/share-files
> getfacl: Removing leading '/' from absolute path names
> # file: server/share-files
> # owner: root
> # group: domain\040admins
> user::rwx
> group::rwx
> other::---
> 
> root at sce253:/# getfacl /server/users
> getfacl: Removing leading '/' from absolute path names
> # file: server/users
> # owner: root
> # group: domain\040admins
> user::rwx
> group::rwx
> other::---
> 
> root at sce253:/# service smbd start
> 
> ** Computer Management -> Connect to other computer
> ** Click thru connection warning
> ** Open Shared Folders
> ** right click "shared-files" & select properties
> ** Select Security Tab
> ** Hit 'ADD' and find and add 'programs' group. (Completes)
> ** Grant Full Control
> ** Hit OK
> ** Click "Yes" to remotely reset permissions
> 
> ******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED
> 
> Can't see where I could be deviating

Tried to set the acl's manually.  So I get this:

root at sce253:/# getfacl /server/users
getfacl: Removing leading '/' from absolute path names
# file: server/users
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:domain\040admins:r-x
default:mask::rwx
default:other::---

Go thru Computer Management -> Still access denied.



More information about the samba mailing list