[Samba] windows acls
Peter Carlson
peter at howudodat.com
Tue Mar 28 16:41:54 UTC 2023
On 3/28/23 08:40, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 15:50, Peter Carlson via samba wrote:
>>
>> On 3/28/23 07:36, Rowland Penny via samba wrote:
>>>
>>>
>>> On 28/03/2023 15:08, Peter Carlson via samba wrote:
>>>>
>>>> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>>>>
>>>>>
>>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>>>>> I am having troubles with windows ACLs. I have been following
>>>>>> the wiki
>>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
>>>>>> and must have messed something up.
>>>>>> I can't set the permissions on the root of the share. error:
>>>>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>>>>
>>>>>> I set the SeDiskOperatorPrivilege, created the folder with
>>>>>> permissions as stated in the wiki, and set smb.conf as described.
>>>>>> What might I be missing?
>>>>>>
>>>>>> root at filesvr:~# net rpc rights list privileges
>>>>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>>>>> Password for [SDCP\peter]:
>>>>>> SeDiskOperatorPrivilege:
>>>>>> SDCP\Domain Admins
>>>>>> BUILTIN\Administrators
>>>>>>
>>>>>> root at filesvr:~# ls -l /data
>>>>>> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>>>>>
>>>>> What are the permissions set on /data ?
>>>>>
>>>>> What does 'getfacl /data/test' produce ?
>>>>>
>>>>> Rowland
>>>>>
>>>> root at filesvr:~# ls -l /
>>>> drwxr-xr-x 16 root root 4096 Dec 20 13:01 data
>>>>
>>>> root at filesvr:~# getfacl /data/test
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: data/test
>>>> # owner: root
>>>> # group: SDCP\\domain\040admins
>>>> user::rwx
>>>> user:root:rwx
>>>> user:SDCP\\domain\040admins:rwx
>>>> user:SDCP\\domain\040users:rwx
>>>> group::rwx
>>>> group:SDCP\\domain\040admins:rwx
>>>> group:SDCP\\domain\040users:rwx
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:SDCP\\domain\040users:rwx
>>>> default:group::r-x
>>>> default:group:SDCP\\domain\040admins:r-x
>>>> default:group:SDCP\\domain\040users:rwx
>>>> default:mask::rwx
>>>> default:other::r-x
>>>
>>> OK, your user should be able to get to the 'data' directory via
>>> 'others'
>>>
>>> drwxr-xr-x 16 root root 4096 Dec 20 13:01 data
>>>
>>> Where, because the permissions are these:
>>>
>>> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>>>
>>> His membership of Domain Admins should allow entry into 'test'
>>>
>>> However, you also wrote this 'On a different server showing my
>>> membership', what do you get if you run 'groups' on 'filesvr' ?
>>>
>>> Rowland
>>>
>>>
>> ok, on the filsvr I can get to things as me:
>> SDCP\peter at filesvr:~$ groups
>> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain
>> users SDCP\denied rodc password replication group SDCP\dbusers
>> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users
>> SDCP\peter at filesvr:~$ cd /data/test
>> SDCP\peter at filesvr:/data/test$ ls
>> officefld peter-ad.txt peter.txt root.txt test Windows.txt
>> SDCP\peter at filesvr:/data/test$ cat peter.txt
>>
>> test from peter
>>
>> however on windows, I get acces denied both when trying to set
>> permissions via computer management on the root of the share as well
>> as when trying to access the share via file explorer
>
>
> I am using Samba 4.17.5 on a test machine with a share set up exactly
> like yours and using computer management on a Win10 computer,
> everything works for myself.
>
> After comparing your smb.conf with mine, could you please try adding
> 'winbind expand groups = 2' to your smb.conf, reload or restart Samba
> and try again.
>
> Rowland
>
>
winbind expand groups = 2 didn't help. Same error on windows, nothing
in the event viewer and no logs in /var/log/samba, perhaps a higher
logging setting is needed? I am running on Version 4.15.13-Ubuntu, I
could do a tcpdump if that helps, but I'd need to read up on what you
would need for that
More information about the samba
mailing list