[Samba] cannot set filesystem permissions on shares

L.P.H. van Belle belle at bazuin.nl
Thu Jul 4 14:50:43 UTC 2019 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 4 juli 2019 16:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] cannot set filesystem permissions on shares
> 
> On 04/07/2019 15:28, L.P.H. van Belle via samba wrote:
> >   
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Rowland penny via samba
> >> Verzonden: donderdag 4 juli 2019 16:05
> > ....
> >> Here it is in big letters:
> >>
> >> DO NOT TOUCH THE 'SHARE' TAB ON WINDOWS, THERE IS NO NEED!
> > That all depends on the setup and if you know that your 
> doing, there is no problem with changing the share rights at all.
> > And since most people dont like, that these shares are 
> setup with everyone/full controle and on the wiki it shows:
> > "domain users" Read
> > "domain admins" Full
> >
> > Its a bit off to say dont touch the share tab...
> > Now if the wiki is right, and if you follow it it works, 
> then yes, i totaly agree, but today its not.
> >
> > By Default this is Everyone/Full (is/was, I dont know 
> current stat of latest windows) i should check,
> > but i just killed my building server. :-( aarrgg..
> > Only bionic i386 was todo, so i need to fix that first now.
> >
> > And with the bug(s) in samba, that groups and (nested 
> groups) are not well read through winbind, ( i believe fixed 
> now ), that is/was a problem.
> > Which still might be in 4.9.5 on Debian buster.  Thats why 
> i asked him to try this.
> >
> > We know its normaly really not needed to change the share 
> rights, thats correct but,
> > again, it depends on what you want to use and how.
> >
> > Ps. @Rowland, Those caps are really not needed..  ;-)
> >
> > Ps2 in general, a good read : 
> https://blog.netwrix.com/2018/05/03/differences-between-share-
> and-ntfs-permissions/
> > That might help people understanding the difference.
> >
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> The thing is that it seems that every time this problem comes up, it 
> comes down to 'everyone' being removed from the 'share' tab. 
> Now I never 
> have this problem, but then I never touch the 'share' tab.
> 
>  From what you saying, if you remove 'everyone' from the 
> share tab, you 
> must replace it with 'domain user', so why bother ?
> 
> Rowland
> 

> why bother ?
If it hits security i alway think about it. because im obligated todo so. ( due my job ) 

And .. well, that depends also, some might want to use "authenticated user" and not "domain users" and/or not Everyone for example.
I can't just say, "Everyone/FullControl" is fine, no, it really depends on what the standards of the user/company are. 
Yes, its fine to start with, so you know what your doing and start learning the 2 acls. (share/security)

>  From what you saying, if you remove 'everyone' from the share tab, you must replace it with 'domain user', so why bother ?
No, what i did say to Pisch, was, remove "dom admins and dom user" and add everyone back. 
Because i think that "older bug" is the problem here. 
And thats simpley found by useing on the share Everyone/FULL Cont. 


Greetz, 

Louis

More information about the samba mailing list