[Samba] cannot set filesystem permissions on shares
L.P.H. van Belle
belle at bazuin.nl
Thu Jul 4 14:50:43 UTC 2019
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: donderdag 4 juli 2019 16:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] cannot set filesystem permissions on shares
>
> On 04/07/2019 15:28, L.P.H. van Belle via samba wrote:
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Rowland penny via samba
> >> Verzonden: donderdag 4 juli 2019 16:05
> > ....
> >> Here it is in big letters:
> >>
> >> DO NOT TOUCH THE 'SHARE' TAB ON WINDOWS, THERE IS NO NEED!
> > That all depends on the setup and if you know that your
> doing, there is no problem with changing the share rights at all.
> > And since most people dont like, that these shares are
> setup with everyone/full controle and on the wiki it shows:
> > "domain users" Read
> > "domain admins" Full
> >
> > Its a bit off to say dont touch the share tab...
> > Now if the wiki is right, and if you follow it it works,
> then yes, i totaly agree, but today its not.
> >
> > By Default this is Everyone/Full (is/was, I dont know
> current stat of latest windows) i should check,
> > but i just killed my building server. :-( aarrgg..
> > Only bionic i386 was todo, so i need to fix that first now.
> >
> > And with the bug(s) in samba, that groups and (nested
> groups) are not well read through winbind, ( i believe fixed
> now ), that is/was a problem.
> > Which still might be in 4.9.5 on Debian buster. Thats why
> i asked him to try this.
> >
> > We know its normaly really not needed to change the share
> rights, thats correct but,
> > again, it depends on what you want to use and how.
> >
> > Ps. @Rowland, Those caps are really not needed.. ;-)
> >
> > Ps2 in general, a good read :
> https://blog.netwrix.com/2018/05/03/differences-between-share-
> and-ntfs-permissions/
> > That might help people understanding the difference.
> >
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> The thing is that it seems that every time this problem comes up, it
> comes down to 'everyone' being removed from the 'share' tab.
> Now I never
> have this problem, but then I never touch the 'share' tab.
>
> From what you saying, if you remove 'everyone' from the
> share tab, you
> must replace it with 'domain user', so why bother ?
>
> Rowland
>
> why bother ?
If it hits security i alway think about it. because im obligated todo so. ( due my job )
And .. well, that depends also, some might want to use "authenticated user" and not "domain users" and/or not Everyone for example.
I can't just say, "Everyone/FullControl" is fine, no, it really depends on what the standards of the user/company are.
Yes, its fine to start with, so you know what your doing and start learning the 2 acls. (share/security)
> From what you saying, if you remove 'everyone' from the share tab, you must replace it with 'domain user', so why bother ?
No, what i did say to Pisch, was, remove "dom admins and dom user" and add everyone back.
Because i think that "older bug" is the problem here.
And thats simpley found by useing on the share Everyone/FULL Cont.
Greetz,
Louis
More information about the samba
mailing list