[Samba] Setting permissions on AD member file server
Gregory Sloop
gregs at sloop.net
Mon Mar 14 22:41:09 UTC 2022
I've had a little time to tinker and one thing I've found.
Unless I have [acl_xattr:ignore system acls = yes] set, I can't edit permissions at all.
(I set it globally, though a share level setting would probably work on a per-share basis.)
This seems to be a quasi-sideeffect of that setting - in short that setting overwrites/resets the posix permissions. (Provided I understand discussions I've seen about it.)
In this case the share will only be used by Windows users via CIFS/Samba - so this may well "work" just fine and as a happy side-effect, make the problem vanish.
But I'd guess it's not really the "correct" fix.
To that end, what would be the best way to reset the permissions on the directories/files properly, removing all the Samba ACL's etc? Once they are set as a baseline in POSIX then we can tinker with Samba ACL's with the Windows permissions again. (And remove acl_xattr:ignore system acls = yes)
Rowland?
(I'm not making any claims about "Administrators" vs "Domain Admins" and permissions in this post. I'm simply trying to deduce what's going on, and talk about a single thing that make it work differently, perhaps more or less inadvertently.)
> On 12 March 2022 09:22 Rowland Penny wrote:
>> On Fri, 2022-03-11 at 22:48 +0000, spindles seven via samba wrote:
>>> On 11 March 2022 22:26 Rowland Penny wrote:
>>>> I take it you found that out from here:
>>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_AC
>>>> Ls#Addi
>>>> ng_a_Share
>>> Yes indeed.
>>>> That is what I was getting at, it used to work. A member of Domain
>>>> Admins logged into Windows could change the permissions on a share,
>>>> provided everything was set up correctly on the Unix domain member.
>>>> I can now only do this with Administrator.
>>>> Rowland
>>> works for me (on version 4.15.5), so what's different?
>> I am using 4.15.5 and it doesn't work for me, it used to, but it doesn't any longer.
>> Rowland
> OK, so using a test installation of Debian Bullseye in a VM and Samba 4.15.5, I left the domain and cleaned up the samba database files as per the WiKi. I deleted the existing folders ie /srv/samba and all sub folders. Using that same page in the WiKi (https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) I joined the domain. This is the smb.conf at that stage:
> [global]
> security = ADS
> workgroup = MICROLYNX
> realm = MICROLYNX.ORG
> log file = /var/log/samba/%m.log
> log level = 1
> winbind use default domain = yes
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> # idmap config for domain MICROLYNX
> idmap config MICROLYNX:backend = rid
> idmap config MICROLYNX:range = 10000-99999
> # next two lines for testing only - comment-out once working ok
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> template homedir = /srv/samba/users/%U
> vfs objects = acl_xattr
> map acl inherit = yes
> username map = /etc/samba/user.map
> # allow administrator to access having been mapped to root (uid 0)
> min domain uid = 0
> ==========
> I then added shares [users] and [test] as follows:
> [users]
> # user homedirs
> path = /srv/samba/users
> read only = no
> acl_xattr:ignore system acls = yes
> [test]
> path = /srv/samba/test
> read only = no
> I set the Unix permissions as follows:
> chown root:"Domain Admins" /srv/samba/users
> chown root:"Domain Admins" /srv/samba/test
> chmod 0770 /srv/samba/users
> chmod 0770 /srv/samba/test
> I granted Domain Admins the SeDiskOperatorPrivilege on the test server then attempted to set the permissions from Windows using the WiKi page: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> I logged onto Windows 10 using a user who is a member of Domain Admins and was able to set permissions correctly using Computer Management on the [test] share, but not on the [users] share; to allow the permissions to be applied from windows initially, I had to temporarily comment out the "acl_xattr:ignore system acls = yes" line and reload the smb config. Once set, I removed the comment (#) from that line.
> On the Users share I set:
> Domain Admins Full Control This folder only
> CREATOR OWNER Full Control Subfolders and files only
> SYSTEM Full Control This folder, subfolders and files
> Authenticated Users Special* This folder only
> * Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Create folders/append data, Read permissions
> The folder looks like this as seen from Linux:
> root at m2test:~# ls -l /srv/samba
> total 16
> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 test
> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 users
> root at m2test:~# getfacl /srv/samba/users
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/users
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> group::rwx
> group:NT\040Authority\\authenticated\040users:rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:---
> default:mask::rwx
> default:other::---
> So following the WiKi as close as possible, I am able to set permissions using a Domain Admins account, not sure why your system is preventing you?
> Thanks for your invaluable help as always.
> Roy
More information about the samba
mailing list