[Samba] Samba winbind on centos 7 - "domain users" acls added

Mon Jun 24 12:49:37 UTC 2019

Hello,

All is working fine now, even the connexion via "Computer management".
I could set permissions with it. I remove all access to "everybody" 
group on my share, and add access for "Domain admins" and "Domain users"...

One last thing that I notice is that anonymous connexions are possible 
(without login password, with a "net use S: \\myssambaserver\myshare")
But then, nothing is possible of course because no permissions to 
"everybody" are set on the share.

How to disable anonymous connexions ? I would only enable share access 
for user with userlogin / password.

Edouard

Le 21/06/2019 à 13:46, Rowland penny via samba a écrit :
> On 21/06/2019 17:41, Edouard Guigné via samba wrote:
>> hello,
>>
>> My 2nd issue is about acls which are added by "Domain users".
>> May you help me to solve it again ?
>>
>> Concerning this issue, on my samba share, I set permissions for the 
>> share "groups" located on /var/datashared for "domain admins" (rwx) 
>> and "domain users" (r-x)
>> /var]# getfacl datashared/
>> # file: datashared/
>> # owner: root
>> # group: root
>> user::rwx
>> group::r-x
>> group:MYDOMAIN\134admins\040du\040domaine:rwx
>> group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:group::r-x
>> default:group://MYDOMAIN\134admins\040du\040domaine:rwx
>> default:mask::rwx
>> default:other::---/
>>
>> /+ # chmod 0770 /var/datashared/
>>
>> As you can see acls for "Domain users" are not in default acls
>>
>> I create a TESTIT folder (on /var/datashared) ; the owner of the is 
>> user "MYDOMAIN\mydomainadmin"
>> "mydomainadmin" is part of the "domain admins" group.
>> /# getfacl TESTIT///
>> //# file: TESTIT///
>> //*# owner: MYDOMAIN\*//*mydomainadmin
>> # group: *//*MYDOMAIN**\134admins\040du\040domaine*
>> user::rwx
>> group::r-x
>> *group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx*
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:group::r-x
>> *default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*//
>> //default:mask::rwx//
>> //default:other::---/
>>
>> I connect as mydomainadmin on Windows 7, and start to change acls :
>> I remove "everybody"
>> and
>> I add group "informatique" with "total control" to security tab of 
>> TESTIT
>>
>> On linux, it shows :
>> /# getfacl TESTIT///
>> //# file: TESTIT///
>> //*# owner: *//*MYDOMAIN\*//*mydomainadmin
>> # group: *//*MYDOMAIN**\134admins\040du\040domaine*
>> user::rwx
>> user://*MYDOMAIN*\//*mydomainadmin*:rwx
>> group::rwx
>> *group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
>> group:*//*MYDOMAIN**\134informatique:rwx*
>> mask::rwx
>> other::---
>> default:user::rwx
>> *default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx*
>> default:group::r-x
>> *default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
>> default:group:*//*MYDOMAIN*//*\134informatique:rwx*//
>> //default:mask::rwx//
>> //default:other::---/
>>
>> Now, I logon in windows 7 as *usertest *(*primary group is "Domain 
>> users" *and is part of the group "informatique").
>> I create a folder TEST in TESTIT.
>> I get this acls on TEST folder :
>> /# getfacl TEST/
>> # file: TEST/
>> *# owner: **MYDOMAIN**\**usertest **
>> **# group: **MYDOMAIN**\134utilisateurs\040du\040domaine*
>> user::rwx
>> user:*MYDOMAIN*\usertest :rwx
>> group::r-x
>> *group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
>> **group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
>> **group:**MYDOMAIN**\134informatique:rwx*
>> mask::rwx
>> other::---
>> default:user::rwx
>> *default:user:**MYDOMAIN**\**usertest **:rwx*
>> default:group::r-x
>> *default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
>> **default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
>> **default:group:**MYDOMAIN**\134informatique:rwx*
>> default:mask::rwx
>> default:other::---/
>>
>> Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and 
>> "*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are 
>> added ?
>> I was expected to not get these acls... concerning "domain users" 
>> because the folder TESTIT have no default "Domain users" acls.
>> Don't want them...
>> Is there a way to change this behaviour ?
>>
>> Edouard
>
> Are you following this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>
>
>