[Samba] windows acls

Peter Carlson peter at howudodat.com
Tue Mar 28 17:20:14 UTC 2023 

On 3/28/23 09:55, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 17:41, Peter Carlson via samba wrote:
>>
>> On 3/28/23 08:40, Rowland Penny via samba wrote:
>>>
>>>
>>> On 28/03/2023 15:50, Peter Carlson via samba wrote:
>>>>
>>>> On 3/28/23 07:36, Rowland Penny via samba wrote:
>>>>>
>>>>>
>>>>> On 28/03/2023 15:08, Peter Carlson via samba wrote:
>>>>>>
>>>>>> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>>>>>>> I am having troubles with windows ACLs.  I have been following 
>>>>>>>> the wiki 
>>>>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) 
>>>>>>>> and must have messed something up.
>>>>>>>> I can't set the permissions on the root of the share. error: 
>>>>>>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>>>>>>
>>>>>>>> I set the SeDiskOperatorPrivilege, created the folder with 
>>>>>>>> permissions as stated in the wiki, and set smb.conf as 
>>>>>>>> described. What might I be missing?
>>>>>>>>
>>>>>>>> root at filesvr:~# net rpc rights list privileges 
>>>>>>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>>>>>>> Password for [SDCP\peter]:
>>>>>>>> SeDiskOperatorPrivilege:
>>>>>>>>    SDCP\Domain Admins
>>>>>>>>    BUILTIN\Administrators
>>>>>>>>
>>>>>>>> root at filesvr:~# ls -l /data
>>>>>>>> drwxrwx---+  4 root SDCP\domain admins    4096 Oct 3 08:45 test
>>>>>>>
>>>>>>> What are the permissions set on /data ?
>>>>>>>
>>>>>>> What does 'getfacl /data/test' produce ?
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> root at filesvr:~# ls -l /
>>>>>> drwxr-xr-x  16 root root       4096 Dec 20 13:01 data
>>>>>>
>>>>>> root at filesvr:~# getfacl /data/test
>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>> # file: data/test
>>>>>> # owner: root
>>>>>> # group: SDCP\\domain\040admins
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> user:SDCP\\domain\040admins:rwx
>>>>>> user:SDCP\\domain\040users:rwx
>>>>>> group::rwx
>>>>>> group:SDCP\\domain\040admins:rwx
>>>>>> group:SDCP\\domain\040users:rwx
>>>>>> mask::rwx
>>>>>> other::---
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:user:SDCP\\domain\040users:rwx
>>>>>> default:group::r-x
>>>>>> default:group:SDCP\\domain\040admins:r-x
>>>>>> default:group:SDCP\\domain\040users:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::r-x
>>>>>
>>>>> OK, your user should be able to get to the 'data' directory via 
>>>>> 'others'
>>>>>
>>>>> drwxr-xr-x  16 root root       4096 Dec 20 13:01 data
>>>>>
>>>>> Where, because the permissions are these:
>>>>>
>>>>> drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test
>>>>>
>>>>> His membership of Domain Admins should allow entry into 'test'
>>>>>
>>>>> However, you also wrote this 'On a different server showing my 
>>>>> membership', what do you get if you run 'groups' on 'filesvr' ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> ok, on the filsvr I can get to things as me:
>>>> SDCP\peter at filesvr:~$ groups
>>>> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain 
>>>> users SDCP\denied rodc password replication group SDCP\dbusers 
>>>> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users
>>>> SDCP\peter at filesvr:~$ cd /data/test
>>>> SDCP\peter at filesvr:/data/test$ ls
>>>> officefld  peter-ad.txt  peter.txt  root.txt  test Windows.txt
>>>> SDCP\peter at filesvr:/data/test$ cat peter.txt
>>>>
>>>> test from peter
>>>>
>>>> however on windows, I get acces denied both when trying to set 
>>>> permissions via computer management on the root of the share as 
>>>> well as when trying to access the share via file explorer
>>>
>>>
>>> I am using Samba 4.17.5 on a test machine with a share set up 
>>> exactly like yours and using computer management on a Win10 
>>> computer, everything works for myself.
>>>
>>> After comparing your smb.conf with mine, could you please try adding 
>>> 'winbind expand groups = 2' to your smb.conf, reload or restart 
>>> Samba and try again.
>>>
>>> Rowland
>>>
>>>
>> winbind expand groups = 2 didn't help.  Same error on windows, 
>> nothing in the event viewer and no logs in /var/log/samba, perhaps a 
>> higher logging setting is needed?  I am running on Version 
>> 4.15.13-Ubuntu, I could do a tcpdump if that helps, but I'd need to 
>> read up on what you would need for that
>
> This is weird, it just works for myself, the only other differences 
> between my smb.conf and yours is these lines:
>
>     disable netbios = Yes
>     dns proxy = No
>     min domain uid = 0
>     username map = /etc/samba/user.map
>
> The last one relies on a file containing this line:
>
> !root = SDCP\Administrator
>
> have you tried running 'net cache flush' on the Linux machine ?
> Could Apparmor be getting in the way ?
>
> Rowland
>
net cache flush had no effect.  there are no entries in syslog from 
apparmor.  here is loglevel 3

[2023/03/28 10:16:07.511129,  3] ../../lib/util/access.c:372(allow_access)
   Allowed connection from 192.168.10.115 (192.168.10.115)
[2023/03/28 10:16:07.511306,  3] 
../../source3/smbd/service.c:610(make_connection_snum)
   make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2023/03/28 10:16:07.511374,  3] 
../../source3/smbd/vfs.c:115(vfs_init_default)
   Initialising default vfs hooks
[2023/03/28 10:16:07.511482,  3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
   Initialising custom vfs hooks from [/[Default VFS]/]
[2023/03/28 10:16:07.511551,  3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
   Initialising custom vfs hooks from [acl_xattr]
[2023/03/28 10:16:07.511639,  2] 
../../source3/modules/vfs_acl_xattr.c:203(connect_acl_xattr)
   connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = 
true' and 'force unknown acl user = true' for service IPC$
[2023/03/28 10:16:07.511931,  3] 
../../source3/smbd/service.c:854(make_connection_snum)
   192.168.10.115 (ipv4:192.168.10.115:59428) connect to service IPC$ 
initially as user SDCP\peter (uid=2001110, gid=2000512) (pid 2341006)
[2023/03/28 10:16:07.549769,  3] ../../lib/util/access.c:372(allow_access)
   Allowed connection from 192.168.10.115 (192.168.10.115)
[2023/03/28 10:16:07.549894,  3] 
../../source3/smbd/service.c:610(make_connection_snum)
   make_connection_snum: Connect path is '/data/test' for service [Test]
[2023/03/28 10:16:07.549940,  3] 
../../source3/smbd/vfs.c:115(vfs_init_default)
   Initialising default vfs hooks
[2023/03/28 10:16:07.549966,  3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
   Initialising custom vfs hooks from [/[Default VFS]/]
[2023/03/28 10:16:07.549988,  3] 
../../source3/smbd/vfs.c:141(vfs_init_custom)
   Initialising custom vfs hooks from [acl_xattr]
[2023/03/28 10:16:07.550011,  2] 
../../source3/modules/vfs_acl_xattr.c:203(connect_acl_xattr)
   connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = 
true' and 'force unknown acl user = true' for service Test
[2023/03/28 10:16:07.550196,  2] 
../../source3/smbd/service.c:854(make_connection_snum)
   192.168.10.115 (ipv4:192.168.10.115:59428) connect to service Test 
initially as user SDCP\peter (uid=2001110, gid=2000512) (pid 2341006)
[2023/03/28 10:16:07.551237,  3] 
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:07.554113,  3] 
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:07.558583,  3] 
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:07.559292,  3] 
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:07.559972,  3] 
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:09.232851,  3] 
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:09.233653,  3] 
../../source3/smbd/smb2_server.c:3954(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:337
[2023/03/28 10:16:23.609881,  3] 
../../source3/smbd/service.c:1127(close_cnum)
   192.168.10.115 (ipv4:192.168.10.115:59428) closed connection to 
service IPC$
[2023/03/28 10:16:23.610507,  2] 
../../source3/smbd/service.c:1127(close_cnum)
   192.168.10.115 (ipv4:192.168.10.115:59428) closed connection to 
service Test

More information about the samba mailing list