[Samba] Share will Domain Users Full Control permissions, not accessible by domain user
Rowland Penny
rpenny at samba.org
Thu Feb 21 19:28:38 UTC 2019
On Thu, 21 Feb 2019 10:49:49 -0800
Mason Schmitt <mason at ftlcomputing.com> wrote:
> Hi Rowland,
>
> > template homedir = /home/%U@%D
> >
> > Nothing to do with your problem, but is the above line a typo ?
> > I would have expected the '@' to be a '/', in which case it is the
> > default, so you can remove the line.
> >
>
> It wasn't a typo, I think it was auto-generated by something during my
> setup of this host. It would probably be better to use '/home/%D/%U'
>
>
> > *# POSIX filesystem details (set using chown and chmod)*
> > >
> > > /srv/samba/users/
> > > drwxrwx---+ 2 root FTLC\domain admins.
> > >
> > > /srv/samba/shares/Operations/
> > > drwxrwx---. 2 root FTLC\domain admins
> > >
> >
> > Here we come to what I think is your problem ;-)
> > If you examine the first set of permissions, they end with a '+',
> > this means that there are extended ACL's set.
> > The second set of permissions ends with a dot '.' and is something I
> > haven't seen before, so a quick google later and I can tell you that
> > you have selinux running, does that give you any hints ;-)
> >
>
> My problem isn't with selinux, because selinux is in permissive mode,
> not enforcing mode.
>
> I actually managed to solve my problem, minutes after I sent this
> email to the list, but the solution does present me with further
> questions. I ended up changing the ownership of
> the /srv/samba/shares/Operations folder from 'root:FTLC\domain
> admins' to 'root:FTLC\domain users'. I didn't change the
> permissions, they are still 770.
>
> I had thought that it made sense for 'root:FTLC\domain admins' to own
> the /srv/samba/shares/Operations directory, because only that user
> and group should have the ability to change share permissions.
> However, given that the change of ownership to the FTLC\domain users'
> group resolved the issue, I can see that my assumption was
> incorrect. Therefore, am I correct in assuming that ownership of a
> given share directory needs to always be the lowest common
> denominator - ie 'FTLC\domain users'? What are the security
> implications of this?
>
> I'm still pretty foggy on the relationship between POSIX ownership and
> permissions, and Windows ACLs. Is there a good resource that might
> help to clear this fog? Or perhaps a better question might be, what
> isthe recommended POSIX permissions and ownership for a share that is
> going to use Windows ACLs and be managed, using RSAT tools, by a
> Domain Admin?
>
> Thanks,
> Mason
Lets make the fog even thicker, when you set the permissions from
Windows (which is the best option), they don't get stored where you
think they do ;-)
You can read the Unix permissions with 'ls' and you can read what I
call posix acl's with 'getfacl', but to read the permissions set from
Windows, you need to use getfattr. The NTFS ACL's are stored in in a
file security.NTACL, this is a an Extended Attribute. This is used
with the Unix permissions to set the ACL's you get with getfacl.
This is probably as clear as mud, but it is a very complicated, try
reading this:
https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/ace-strings
Also reading 'man vfs_acl_xattr' might help
Rowland
More information about the samba
mailing list