[Samba] Best practice to import folders to Samba?

L.P.H. van Belle belle at bazuin.nl
Thu Jun 3 12:33:56 UTC 2021 

 Hai Anders,

> -----Oorspronkelijk bericht-----
> Van: Anders Östling [mailto:anders.ostling at gmail.com] 
> Verzonden: donderdag 3 juni 2021 14:10
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Best practice to import folders to Samba?
> 
> Yes, username mapping is in place and works.
> The 2770 thing made a big difference! Now it looks ok (I think)
> 
> Shared folder level 0 Dokument (G:) - require Domain users read/list
> this folder only. If not, folders on level 1 are not shown so they
> can't be opened by legitimate users
> Shared folder level 1 Ekonomi - Domain users not in the ACL, ACL
> entries for HP_Ekonomi_xx exists and allows ro or rw access
> Files or folders level 2 below Ekonomi - Inherits Domain users read
> from G: (!). Not really a problem because without the hp_ekonomi_xx
> rights, users won't be able to go into subfolders
> 
> Is this how it is meant to be?

That looks good to me, but to be sure.. 

Lets create a new data root share just for this test so you can lookup the rights. 

Per example  /HP-data/test-docs 

wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-share-folders.sh
In the script, change : SAMBA_BASEFOLDER="/HP-data/test-docs"  

It doesnt change you smb.conf, but it generates the share.conf for samba and set up the folders for you. 

bash samba-setup-share-folders.sh
The file : /etc/samba/smb-shares.conf is generated and include that in smb.conf reload, 
and test/look in these folders. 

And look at all the rights and how i did set them. 


I used the following setup. 

BaseFolder - DepartmentsBaseFolders  - UsersContent 

Base: only Administrators can create folders and setup rights. 
 Optional, create a group "folder-managers" and give that rights to create new folders and set rights"
 This way you dont have to share Administrator passwords if it only involves new folders and rigths. 

Departments, this used only uses the security groups "departmens" and gives it right to access and write/change/read  in this folder. 
 
UserContent,  The Rights in Departmens and any subfolders or files in here are writting with the "domain users" ( must have GID ) 
Why we set 2770 on Departments 

So where does "domain users" come from, well, its the default group all windows users are in. 
In smb.conf (where i use backend AD) i use : 

## get primary group from unix primary group )
idmap config ADDOM : unix_primary_group = yes

Not sure if you need that also if you use RID backend. 

This is also why its not adviced to change the default windows group for the users. 

I hope this helps you.. (and others) 

Greetz, 

Louis

> 
> On Thu, Jun 3, 2021 at 1:43 PM L.P.H. van Belle 
> <belle at bazuin.nl> wrote:
> >
> > Hmm, did you set in smb.conf :
> >
> >
> >     # User Administrator workaround, without it you are 
> unable to set privileges/rights
> >     # A must for samba Domain members
> >     username map = /etc/samba/samba_usermapping
> >
> > /etc/samba/samba_usermapping  contains
> > !root = ADDOM\Administrator ADDOM\administrator
> >
> > That should make the mapping so "Administrator" can see and 
> operate "as root"
> >
> > Also, on the department folder. I see 750 as right.
> > chown -R root:root ..
> > chmod 2770 -R ..
> >
> >
> > Then try again.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: Anders Östling [mailto:anders.ostling at gmail.com]
> > > Verzonden: donderdag 3 juni 2021 13:32
> > > Aan: L.P.H. van Belle
> > > Onderwerp: Re: [Samba] Best practice to import folders to Samba?
> > >
> > > Hi Lois
> > >
> > > I did exactly as you proposed, and here is what it looks 
> like after
> > >
> > > root at hp-fs1:/HP-data/documents# setfacl --recursive
> > > --remove-all Ekonomi
> > > root at hp-fs1:/HP-data/documents# chmod -R o-rwx Ekonomi
> > > root at hp-fs1:/HP-data/documents# ls -l
> > > total 24
> > > drwxr-x---  12 administrator hp_ekonomi_ro 4096 jun  3 
> 13:05 Ekonomi
> > > root at hp-fs1:/HP-data/documents# chown -R root:root Ekonomi
> > > root at hp-fs1:/HP-data/documents# ls -l
> > > total 24
> > > drwxr-x---  12 root          root         4096 jun  3 
> 13:05 Ekonomi
> > >
> > > At this point I could not see the folder Ekonomi at all 
> (logged in as
> > > user Administrator on the domain). So I altered the owner from
> > > root.root to root.administrator. That made the folder 
> visible again
> >
> >
> >
> > >
> > > root at hp-fs1:/HP-data/documents# chown -R 
> administrator:root Ekonomi
> > >
> > > And the end result is this, not at all what I expected it to be
> > >
> > > I must be doing something wrong here...
> > > /Anders
> > >
> > > On Thu, Jun 3, 2021 at 1:16 PM L.P.H. van Belle via samba
> > > <samba at lists.samba.org> wrote:
> > > >
> > > > Hai Andres,
> > > >
> > > > You can copy everything to the new locations and then
> > > remove all old acls.
> > > >
> > > > echo "Removing old ACL's"
> > > > setfacl --recursive --remove-all /srv/samba/datashare
> > > >
> > > > echo "Recursively removing access to : other (guests)"
> > > > chmod -R o-rwx /srv/samba/datashare
> > > >
> > > > echo "Re-apply root:root on /srv/samba/datashare"
> > > > chown -R root:root /srv/samba/datashare
> > > >
> > > > ! Root:root is use, so only the Administrator can create
> > > new folders and set rights from this point.
> > > >
> > > > At this point all subfolders are clear and ready for 
> the new acl's.
> > > >
> > > >
> > > > Good luck.
> > > >
> > > > Greets,
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > >
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > > > Anders Östling via samba
> > > > > Verzonden: donderdag 3 juni 2021 12:57
> > > > > Aan: sambalist
> > > > > Onderwerp: [Samba] Best practice to import folders to Samba?
> > > > >
> > > > > I am testing to setup a new lab domain, and so far all is
> > > good. 2 DC's
> > > > > and 2 file servers are now in the domain, along with 
> 2 windows 10
> > > > > clients. Everything works as planned.
> > > > > Now I would like to import a large set of data files 
> from another
> > > > > production domain. I have copied some folders into the new lab
> > > > > domain's fileserver, but permissions and ownership of
> > > files are wrong.
> > > > > The files have retained their old GID's that does not
> > > exist in the lab
> > > > > domain.
> > > > > So, I am looking for a method to strip off all ACL's and other
> > > > > permission related data. either before or after the
> > > import (whichever
> > > > > is easiest).
> > > > > Once the files and folders are "clean", I would like to
> > > put them into
> > > > > a number of prepared shares where they should inherit 
> permissions,
> > > > > ownership etc from the shared folder.
> > > > >
> > > > > I have of course checked the wiki and about 99% of
> > > Internet, but cant
> > > > > find any good and recent guide. Anyone here that have 
> some advice?
> > > > >
> > > > > Best regards!
> > > > > Anders
> > > > >
> > > > >
> > > > > --
> > > > > ------ -------------------- 8 ------------------ ------
> > > > > "A wise man once told me - Any idiot can do backups, but
> > > it takes a
> > > > > genius to successfully restore"
> > > > >
> > > > > Anders Östling
> > > > > +46 768 716 165 (Mobil)
> > > > > +46 431 45 56 01  (Hem)
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL 
> and read the
> > > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL 
> and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> > >
> > > --
> > > ------ -------------------- 8 ------------------ ------
> > > "A wise man once told me - Any idiot can do backups, but 
> it takes a
> > > genius to successfully restore"
> > >
> > > Anders Östling
> > > +46 768 716 165 (Mobil)
> > > +46 431 45 56 01  (Hem)
> > >
> >
> 
> 
> -- 
> ------ -------------------- 8 ------------------ ------
> "A wise man once told me - Any idiot can do backups, but it takes a
> genius to successfully restore"
> 
> Anders Östling
> +46 768 716 165 (Mobil)
> +46 431 45 56 01  (Hem)
> 
>

More information about the samba mailing list