[Samba] windows acls
Peter Carlson
peter at howudodat.com
Tue Mar 28 14:50:51 UTC 2023
On 3/28/23 07:36, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 15:08, Peter Carlson via samba wrote:
>>
>> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>>
>>>
>>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>>> I am having troubles with windows ACLs. I have been following the
>>>> wiki
>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
>>>> and must have messed something up.
>>>> I can't set the permissions on the root of the share. error:
>>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>>
>>>> I set the SeDiskOperatorPrivilege, created the folder with
>>>> permissions as stated in the wiki, and set smb.conf as described.
>>>> What might I be missing?
>>>>
>>>> root at filesvr:~# net rpc rights list privileges
>>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>>> Password for [SDCP\peter]:
>>>> SeDiskOperatorPrivilege:
>>>> SDCP\Domain Admins
>>>> BUILTIN\Administrators
>>>>
>>>> root at filesvr:~# ls -l /data
>>>> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>>>
>>> What are the permissions set on /data ?
>>>
>>> What does 'getfacl /data/test' produce ?
>>>
>>> Rowland
>>>
>> root at filesvr:~# ls -l /
>> drwxr-xr-x 16 root root 4096 Dec 20 13:01 data
>>
>> root at filesvr:~# getfacl /data/test
>> getfacl: Removing leading '/' from absolute path names
>> # file: data/test
>> # owner: root
>> # group: SDCP\\domain\040admins
>> user::rwx
>> user:root:rwx
>> user:SDCP\\domain\040admins:rwx
>> user:SDCP\\domain\040users:rwx
>> group::rwx
>> group:SDCP\\domain\040admins:rwx
>> group:SDCP\\domain\040users:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:SDCP\\domain\040users:rwx
>> default:group::r-x
>> default:group:SDCP\\domain\040admins:r-x
>> default:group:SDCP\\domain\040users:rwx
>> default:mask::rwx
>> default:other::r-x
>
> OK, your user should be able to get to the 'data' directory via 'others'
>
> drwxr-xr-x 16 root root 4096 Dec 20 13:01 data
>
> Where, because the permissions are these:
>
> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>
> His membership of Domain Admins should allow entry into 'test'
>
> However, you also wrote this 'On a different server showing my
> membership', what do you get if you run 'groups' on 'filesvr' ?
>
> Rowland
>
>
ok, on the filsvr I can get to things as me:
SDCP\peter at filesvr:~$ groups
SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain
users SDCP\denied rodc password replication group SDCP\dbusers
SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users
SDCP\peter at filesvr:~$ cd /data/test
SDCP\peter at filesvr:/data/test$ ls
officefld peter-ad.txt peter.txt root.txt test Windows.txt
SDCP\peter at filesvr:/data/test$ cat peter.txt
test from peter
however on windows, I get acces denied both when trying to set
permissions via computer management on the root of the share as well as
when trying to access the share via file explorer
More information about the samba
mailing list