[Samba] windows acls
Peter Carlson
peter at howudodat.com
Tue Mar 28 17:20:14 UTC 2023
On 3/28/23 09:55, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 17:41, Peter Carlson via samba wrote:
>>
>> On 3/28/23 08:40, Rowland Penny via samba wrote:
>>>
>>>
>>> On 28/03/2023 15:50, Peter Carlson via samba wrote:
>>>>
>>>> On 3/28/23 07:36, Rowland Penny via samba wrote:
>>>>>
>>>>>
>>>>> On 28/03/2023 15:08, Peter Carlson via samba wrote:
>>>>>>
>>>>>> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>>>>>>> I am having troubles with windows ACLs. I have been following
>>>>>>>> the wiki
>>>>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
>>>>>>>> and must have messed something up.
>>>>>>>> I can't set the permissions on the root of the share. error:
>>>>>>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>>>>>>
>>>>>>>> I set the SeDiskOperatorPrivilege, created the folder with
>>>>>>>> permissions as stated in the wiki, and set smb.conf as
>>>>>>>> described. What might I be missing?
>>>>>>>>
>>>>>>>> root at filesvr:~# net rpc rights list privileges
>>>>>>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>>>>>>> Password for [SDCP\peter]:
>>>>>>>> SeDiskOperatorPrivilege:
>>>>>>>> SDCP\Domain Admins
>>>>>>>> BUILTIN\Administrators
>>>>>>>>
>>>>>>>> root at filesvr:~# ls -l /data
>>>>>>>> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>>>>>>>
>>>>>>> What are the permissions set on /data ?
>>>>>>>
>>>>>>> What does 'getfacl /data/test' produce ?
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> root at filesvr:~# ls -l /
>>>>>> drwxr-xr-x 16 root root 4096 Dec 20 13:01 data
>>>>>>
>>>>>> root at filesvr:~# getfacl /data/test
>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>> # file: data/test
>>>>>> # owner: root
>>>>>> # group: SDCP\\domain\040admins
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> user:SDCP\\domain\040admins:rwx
>>>>>> user:SDCP\\domain\040users:rwx
>>>>>> group::rwx
>>>>>> group:SDCP\\domain\040admins:rwx
>>>>>> group:SDCP\\domain\040users:rwx
>>>>>> mask::rwx
>>>>>> other::---
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:user:SDCP\\domain\040users:rwx
>>>>>> default:group::r-x
>>>>>> default:group:SDCP\\domain\040admins:r-x
>>>>>> default:group:SDCP\\domain\040users:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::r-x
>>>>>
>>>>> OK, your user should be able to get to the 'data' directory via
>>>>> 'others'
>>>>>
>>>>> drwxr-xr-x 16 root root 4096 Dec 20 13:01 data
>>>>>
>>>>> Where, because the permissions are these:
>>>>>
>>>>> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>>>>>
>>>>> His membership of Domain Admins should allow entry into 'test'
>>>>>
>>>>> However, you also wrote this 'On a different server showing my
>>>>> membership', what do you get if you run 'groups' on 'filesvr' ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> ok, on the filsvr I can get to things as me:
>>>> SDCP\peter at filesvr:~$ groups
>>>> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain
>>>> users SDCP\denied rodc password replication group SDCP\dbusers
>>>> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users
>>>> SDCP\peter at filesvr:~$ cd /data/test
>>>> SDCP\peter at filesvr:/data/test$ ls
>>>> officefld peter-ad.txt peter.txt root.txt test Windows.txt
>>>> SDCP\peter at filesvr:/data/test$ cat peter.txt
>>>>
>>>> test from peter
>>>>
>>>> however on windows, I get acces denied both when trying to set
>>>> permissions via computer management on the root of the share as
>>>> well as when trying to access the share via file explorer
>>>
>>>
>>> I am using Samba 4.17.5 on a test machine with a share set up
>>> exactly like yours and using computer management on a Win10
>>> computer, everything works for myself.
>>>
>>> After comparing your smb.conf with mine, could you please try adding
>>> 'winbind expand groups = 2' to your smb.conf, reload or restart
>>> Samba and try again.
>>>
>>> Rowland
>>>
>>>
>> winbind expand groups = 2 didn't help. Same error on windows,
>> nothing in the event viewer and no logs in /var/log/samba, perhaps a
>> higher logging setting is needed? I am running on Version
>> 4.15.13-Ubuntu, I could do a tcpdump if that helps, but I'd need to
>> read up on what you would need for that
>
> This is weird, it just works for myself, the only other differences
> between my smb.conf and yours is these lines:
>
> disable netbios = Yes
> dns proxy = No
> min domain uid = 0
> username map = /etc/samba/user.map
>
> The last one relies on a file containing this line:
>
> !root = SDCP\Administrator
>
> have you tried running 'net cache flush' on the Linux machine ?
> Could Apparmor be getting in the way ?
>
> Rowland
>
net cache flush had no effect. there are no entries in syslog from
apparmor. here is loglevel 3
[2023/03/28 10:16:07.511129, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 192.168.10.115 (192.168.10.115)
[2023/03/28 10:16:07.511306, 3]
../../source3/smbd/service.c:610(make_connection_snum)
make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2023/03/28 10:16:07.511374, 3]
../../source3/smbd/vfs.c:115(vfs_init_default)
Initialising default vfs hooks
[2023/03/28 10:16:07.511482, 3]
../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2023/03/28 10:16:07.511551, 3]
../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2023/03/28 10:16:07.511639, 2]
../../source3/modules/vfs_acl_xattr.c:203(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service IPC$
[2023/03/28 10:16:07.511931, 3]
../../source3/smbd/service.c:854(make_connection_snum)
192.168.10.115 (ipv4:192.168.10.115:59428) connect to service IPC$
initially as user SDCP\peter (uid=2001110, gid=2000512) (pid 2341006)
[2023/03/28 10:16:07.549769, 3] ../../lib/util/access.c:372(allow_access)
Allowed connection from 192.168.10.115 (192.168.10.115)
[2023/03/28 10:16:07.549894, 3]
../../source3/smbd/service.c:610(make_connection_snum)
make_connection_snum: Connect path is '/data/test' for service [Test]
[2023/03/28 10:16:07.549940, 3]
../../source3/smbd/vfs.c:115(vfs_init_default)
Initialising default vfs hooks
[2023/03/28 10:16:07.549966, 3]
../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2023/03/28 10:16:07.549988, 3]
../../source3/smbd/vfs.c:141(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2023/03/28 10:16:07.550011, 2]
../../source3/modules/vfs_acl_xattr.c:203(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service Test
[2023/03/28 10:16:07.550196, 2]
../../source3/smbd/service.c:854(make_connection_snum)
192.168.10.115 (ipv4:192.168.10.115:59428) connect to service Test
initially as user SDCP\peter (uid=2001110, gid=2000512) (pid 2341006)
[2023/03/28 10:16:07.551237, 3]
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:07.554113, 3]
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:07.558583, 3]
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:07.559292, 3]
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:07.559972, 3]
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:09.232851, 3]
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:09.233653, 3]
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:23.609881, 3]
../../source3/smbd/service.c:1127(close_cnum)
192.168.10.115 (ipv4:192.168.10.115:59428) closed connection to
service IPC$
[2023/03/28 10:16:23.610507, 2]
../../source3/smbd/service.c:1127(close_cnum)
192.168.10.115 (ipv4:192.168.10.115:59428) closed connection to
service Test
More information about the samba
mailing list