[Samba] windows acls

Rowland Penny rpenny at samba.org
Tue Mar 28 16:55:39 UTC 2023 


On 28/03/2023 17:41, Peter Carlson via samba wrote:
> 
> On 3/28/23 08:40, Rowland Penny via samba wrote:
>>
>>
>> On 28/03/2023 15:50, Peter Carlson via samba wrote:
>>>
>>> On 3/28/23 07:36, Rowland Penny via samba wrote:
>>>>
>>>>
>>>> On 28/03/2023 15:08, Peter Carlson via samba wrote:
>>>>>
>>>>> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>>>>>
>>>>>>
>>>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>>>>>> I am having troubles with windows ACLs.  I have been following 
>>>>>>> the wiki 
>>>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) and must have messed something up.
>>>>>>> I can't set the permissions on the root of the share. error: 
>>>>>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>>>>>
>>>>>>> I set the SeDiskOperatorPrivilege, created the folder with 
>>>>>>> permissions as stated in the wiki, and set smb.conf as described. 
>>>>>>> What might I be missing?
>>>>>>>
>>>>>>> root at filesvr:~# net rpc rights list privileges 
>>>>>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>>>>>> Password for [SDCP\peter]:
>>>>>>> SeDiskOperatorPrivilege:
>>>>>>>    SDCP\Domain Admins
>>>>>>>    BUILTIN\Administrators
>>>>>>>
>>>>>>> root at filesvr:~# ls -l /data
>>>>>>> drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test
>>>>>>
>>>>>> What are the permissions set on /data ?
>>>>>>
>>>>>> What does 'getfacl /data/test' produce ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> root at filesvr:~# ls -l /
>>>>> drwxr-xr-x  16 root root       4096 Dec 20 13:01 data
>>>>>
>>>>> root at filesvr:~# getfacl /data/test
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: data/test
>>>>> # owner: root
>>>>> # group: SDCP\\domain\040admins
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> user:SDCP\\domain\040admins:rwx
>>>>> user:SDCP\\domain\040users:rwx
>>>>> group::rwx
>>>>> group:SDCP\\domain\040admins:rwx
>>>>> group:SDCP\\domain\040users:rwx
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:user:SDCP\\domain\040users:rwx
>>>>> default:group::r-x
>>>>> default:group:SDCP\\domain\040admins:r-x
>>>>> default:group:SDCP\\domain\040users:rwx
>>>>> default:mask::rwx
>>>>> default:other::r-x
>>>>
>>>> OK, your user should be able to get to the 'data' directory via 
>>>> 'others'
>>>>
>>>> drwxr-xr-x  16 root root       4096 Dec 20 13:01 data
>>>>
>>>> Where, because the permissions are these:
>>>>
>>>> drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test
>>>>
>>>> His membership of Domain Admins should allow entry into 'test'
>>>>
>>>> However, you also wrote this 'On a different server showing my 
>>>> membership', what do you get if you run 'groups' on 'filesvr' ?
>>>>
>>>> Rowland
>>>>
>>>>
>>> ok, on the filsvr I can get to things as me:
>>> SDCP\peter at filesvr:~$ groups
>>> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain 
>>> users SDCP\denied rodc password replication group SDCP\dbusers 
>>> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users
>>> SDCP\peter at filesvr:~$ cd /data/test
>>> SDCP\peter at filesvr:/data/test$ ls
>>> officefld  peter-ad.txt  peter.txt  root.txt  test  Windows.txt
>>> SDCP\peter at filesvr:/data/test$ cat peter.txt
>>>
>>> test from peter
>>>
>>> however on windows, I get acces denied both when trying to set 
>>> permissions via computer management on the root of the share as well 
>>> as when trying to access the share via file explorer
>>
>>
>> I am using Samba 4.17.5 on a test machine with a share set up exactly 
>> like yours and using computer management on a Win10 computer, 
>> everything works for myself.
>>
>> After comparing your smb.conf with mine, could you please try adding 
>> 'winbind expand groups = 2' to your smb.conf, reload or restart Samba 
>> and try again.
>>
>> Rowland
>>
>>
> winbind expand groups = 2 didn't help.  Same error on windows, nothing 
> in the event viewer and no logs in /var/log/samba, perhaps a higher 
> logging setting is needed?  I am running on Version 4.15.13-Ubuntu, I 
> could do a tcpdump if that helps, but I'd need to read up on what you 
> would need for that

This is weird, it just works for myself, the only other differences 
between my smb.conf and yours is these lines:

	disable netbios = Yes
	dns proxy = No
	min domain uid = 0
	username map = /etc/samba/user.map

The last one relies on a file containing this line:

!root = SDCP\Administrator

have you tried running 'net cache flush' on the Linux machine ?
Could Apparmor be getting in the way ?

Rowland

More information about the samba mailing list