[Samba] Setting permissions on AD member file server
L.P.H. van Belle
belle at bazuin.nl
Tue Mar 15 14:38:36 UTC 2022
This just a mis configuration in rights.
I'll get some text from Gregories previous mail.
(*>> is me)
>> This should fix it.
>> setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/
( > greg )
> Do you mean -n/--no-mask [not -m - there is no -m switch]
No, there IS -m (see man setfacl ) -m = modify.
>> getfacl /abc-zfs-01/ad-shared-folders
> (I gave this in the OP, but here it is again. The getfacl of the folder I'm trying to manage permission on - among others)
# getfacl *
# file: shared-files
# owner: AD\\administrator
# group: AD\\domain\040admins
user::rwx
group::rwx
other::---
The parent has this facl
# file: ad-shared-folders
# owner: root
# group: AD\\domain\040admins
user::rwx
group::rwx
other::---
Now, if im user Administrator, what is my "primay group/default group" :
"Domain Users"
If im a random user, what is my "primay group/default group" :
Exacly, again : "Domain Users"
Whats missing in above. ;-)
You have in my opinion 3 points to fix.
1) setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/
That allows you "Domain Users" to Read and Enter that folder and is inherit is enable, also sub folders.
2) but nobody can enter /abc-zfs-01
this is also why i really advice something like this.
/srv/samba/dataShare (Normal shares here)
/srv/samba/ ( samba$ as Admin share, you start here basicly.) **1
/srv/
**1 the "dataShare" is NOT made from linux, its make from windows, all rights are set from windows.
If you want to set that from linux, that IS possible, but i suggest, setup one from windows.
Then use getfacl and samba-tools ntacl get --as-sddl
I used these to compair what i "see" in windows and what's "set" in linux.
3) [acl_xattr:ignore system acls = yes]
you use this only in Users and Profiles or any share thats a windows only share.
*( yeah, you can use it everywhere, but this is my advice)
If you add/remove that, you MUST check and set rights again.
So, this is what i have:
getfacl /srv/
# file: /srv/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
getfacl /srv/samba/
# file: /srv/samba/
# owner: root
# group: root
# flags: s--
user::rwx
group::rwx
other::r-x
getfacl /srv/samba/companydataShare1/
# file: /srv/samba/companydataShare1/
# owner: root
# group: root
# flags: -st
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:domain\040users:r-x
group:domain\040admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x
Now from this point.
/srv/samba/companydataShare1/ is basicly \\server\companydataShare1
The subfolders in companydataShare1 are set from windows.
* and i backup all the subfolder rights with getfacl and samba-tool ntacl get --as-sddl
Just because its handy to have is you need to re-apply all rights.
*(tip see : https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-share-folders.sh
I hope this helps.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Patrick Goetz via samba
> Verzonden: dinsdag 15 maart 2022 14:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Setting permissions on AD member file server
>
>
>
> On 3/14/22 17:41, Gregory Sloop via samba wrote:
> > I've had a little time to tinker and one thing I've found.
> >
> > Unless I have [acl_xattr:ignore system acls = yes] set, I
> can't edit permissions at all.
> > (I set it globally, though a share level setting would
> probably work on a per-share basis.)
>
>
> There must be another issue here. I have:
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> set in smb.conf and most certainly can edit permissions from Windows,
> although this has also failed in some cases for reasons I
> haven't been
> able to pinpoint (but am guessing is related to the long path issue).
>
>
>
> >
> > This seems to be a quasi-sideeffect of that setting - in
> short that setting overwrites/resets the posix permissions.
> (Provided I understand discussions I've seen about it.)
> >
> > In this case the share will only be used by Windows users
> via CIFS/Samba - so this may well "work" just fine and as a
> happy side-effect, make the problem vanish.
> > But I'd guess it's not really the "correct" fix.
> >
> > To that end, what would be the best way to reset the
> permissions on the directories/files properly, removing all
> the Samba ACL's etc? Once they are set as a baseline in POSIX
> then we can tinker with Samba ACL's with the Windows
> permissions again. (And remove acl_xattr:ignore system acls = yes)
>
> Adding on to this, I would like to completely reset all the Windows
> permissions, since the filesystem permissions look good, but
> resetting
> permissions on some folders fails from Windows. If Windows 10 File
> Explorer does not support long paths, then how would someone
> use this to
> reset permissions on deeply nested folders anyway? I've
> determined that
> at after a certain path length the security tab disappears from
> Properties completely!
>
>
>
>
>
> >
> > Rowland?
> >
> > (I'm not making any claims about "Administrators" vs
> "Domain Admins" and permissions in this post. I'm simply
> trying to deduce what's going on, and talk about a single
> thing that make it work differently, perhaps more or less
> inadvertently.)
> >
> >
> >
> >> On 12 March 2022 09:22 Rowland Penny wrote:
> >
> >>> On Fri, 2022-03-11 at 22:48 +0000, spindles seven via samba wrote:
> >
> >>>> On 11 March 2022 22:26 Rowland Penny wrote:
> >
> >>>>> I take it you found that out from here:
> >
> >>>>>
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2
> F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Wind
> ows_AC&data=04%7C01%7C%7C4d95fe15883b49b0a63f08da060bdcf2%
> 7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C63782894529508879
> 6%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi
> LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3AGGfZStDR21zN
> igyhb8prAhQLX2o96tlckw6Lzg%2FGs%3D&reserved=0
> >>>>> Ls#Addi
> >>>>> ng_a_Share
> >
> >>>> Yes indeed.
> >>>>> That is what I was getting at, it used to work. A
> member of Domain
> >>>>> Admins logged into Windows could change the permissions
> on a share,
> >>>>> provided everything was set up correctly on the Unix
> domain member.
> >>>>> I can now only do this with Administrator.
> >
> >>>>> Rowland
> >>>> works for me (on version 4.15.5), so what's different?
> >>> I am using 4.15.5 and it doesn't work for me, it used to,
> but it doesn't any longer.
> >
> >>> Rowland
> >> OK, so using a test installation of Debian Bullseye in a
> VM and Samba 4.15.5, I left the domain and cleaned up the
> samba database files as per the WiKi. I deleted the
> existing folders ie /srv/samba and all sub folders. Using
> that same page in the WiKi
> (https://nam12.safelinks.protection.outlook.com/?url=https%3A%
> 2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_Samba_as_a_Domain
> _Member&data=04%7C01%7C%7C4d95fe15883b49b0a63f08da060bdcf2
> %7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C6378289452950887
> 96%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=u1XD73sQR%2Fu
> nckq8eRGjulNPWr2KSsjmpSHX0AWYBxs%3D&reserved=0) I joined
> the domain. This is the smb.conf at that stage:
> >
> >> [global]
> >
> >> security = ADS
> >> workgroup = MICROLYNX
> >> realm = MICROLYNX.ORG
> >
> >> log file = /var/log/samba/%m.log
> >> log level = 1
> >
> >> winbind use default domain = yes
> >
> >> # Default idmap config used for BUILTIN and local
> accounts/groups
> >> idmap config *:backend = tdb
> >> idmap config *:range = 2000-9999
> >
> >> # idmap config for domain MICROLYNX
> >> idmap config MICROLYNX:backend = rid
> >> idmap config MICROLYNX:range = 10000-99999
> >
> >> # next two lines for testing only - comment-out
> once working ok
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >
> >> template shell = /bin/bash
> >> template homedir = /srv/samba/users/%U
> >
> >> vfs objects = acl_xattr
> >> map acl inherit = yes
> >> username map = /etc/samba/user.map
> >
> >> # allow administrator to access having been
> mapped to root (uid 0)
> >> min domain uid = 0
> >> ==========
> >> I then added shares [users] and [test] as follows:
> >
> >> [users]
> >> # user homedirs
> >> path = /srv/samba/users
> >> read only = no
> >> acl_xattr:ignore system acls = yes
> >
> >> [test]
> >> path = /srv/samba/test
> >> read only = no
> >
> >> I set the Unix permissions as follows:
> >> chown root:"Domain Admins" /srv/samba/users
> >> chown root:"Domain Admins" /srv/samba/test
> >> chmod 0770 /srv/samba/users
> >> chmod 0770 /srv/samba/test
> >
> >> I granted Domain Admins the SeDiskOperatorPrivilege on the
> test server then attempted to set the permissions from
> Windows using the WiKi page:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2
> F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Wind
> ows_ACLs&data=04%7C01%7C%7C4d95fe15883b49b0a63f08da060bdcf
> 2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637828945295088
> 796%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMz
> IiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FzGeiwpIaV
> Y2Wlq57jl8xCiX6xBi7XZ%2BA9oH1Oqj7lA%3D&reserved=0
> >
> >> I logged onto Windows 10 using a user who is a member of
> Domain Admins and was able to set permissions correctly using
> Computer Management on the [test] share, but not on the
> [users] share; to allow the permissions to be applied from
> windows initially, I had to temporarily comment out the
> "acl_xattr:ignore system acls = yes" line and reload the smb
> config. Once set, I removed the comment (#) from that line.
> >
> >> On the Users share I set:
> >> Domain Admins Full Control This folder only
> >> CREATOR OWNER Full Control Subfolders and files only
> >> SYSTEM Full Control This folder, subfolders and files
> >> Authenticated Users Special* This folder only
> >
> >> * Traverse folder/execute file, List folder/read data,
> Read attributes, Read extended attributes, Create
> folders/append data, Read permissions
> >
> >> The folder looks like this as seen from Linux:
> >> root at m2test:~# ls -l /srv/samba
> >> total 16
> >> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 test
> >> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 users
> >> root at m2test:~# getfacl /srv/samba/users
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: srv/samba/users
> >> # owner: root
> >> # group: domain\040admins
> >> user::rwx
> >> user:root:rwx
> >> user:domain\040admins:rwx
> >> group::rwx
> >> group:NT\040Authority\\authenticated\040users:rwx
> >> group:NT\040Authority\\system:rwx
> >> group:domain\040admins:rwx
> >> mask::rwx
> >> other::---
> >> default:user::rwx
> >> default:user:root:rwx
> >> default:group::---
> >> default:group:NT\040Authority\\system:rwx
> >> default:group:domain\040admins:---
> >> default:mask::rwx
> >> default:other::---
> >
> >> So following the WiKi as close as possible, I am able to
> set permissions using a Domain Admins account, not sure why
> your system is preventing you?
> >
> >> Thanks for your invaluable help as always.
> >
> >> Roy
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list