[Samba] windows acls
Peter Carlson
peter at howudodat.com
Tue Mar 28 17:43:09 UTC 2023
On 3/28/23 09:55, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 17:41, Peter Carlson via samba wrote:
>>
>> On 3/28/23 08:40, Rowland Penny via samba wrote:
>>>
>>>
>>> On 28/03/2023 15:50, Peter Carlson via samba wrote:
>>>>
>>>> On 3/28/23 07:36, Rowland Penny via samba wrote:
>>>>>
>>>>>
>>>>> On 28/03/2023 15:08, Peter Carlson via samba wrote:
>>>>>>
>>>>>> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>>>>>>> I am having troubles with windows ACLs. I have been following
>>>>>>>> the wiki
>>>>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
>>>>>>>> and must have messed something up.
>>>>>>>> I can't set the permissions on the root of the share. error:
>>>>>>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>>>>>>
>>>>>>>> I set the SeDiskOperatorPrivilege, created the folder with
>>>>>>>> permissions as stated in the wiki, and set smb.conf as
>>>>>>>> described. What might I be missing?
>>>>>>>>
>>>>>>>> root at filesvr:~# net rpc rights list privileges
>>>>>>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>>>>>>> Password for [SDCP\peter]:
>>>>>>>> SeDiskOperatorPrivilege:
>>>>>>>> SDCP\Domain Admins
>>>>>>>> BUILTIN\Administrators
>>>>>>>>
>>>>>>>> root at filesvr:~# ls -l /data
>>>>>>>> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>>>>>>>
>>>>>>> What are the permissions set on /data ?
>>>>>>>
>>>>>>> What does 'getfacl /data/test' produce ?
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> root at filesvr:~# ls -l /
>>>>>> drwxr-xr-x 16 root root 4096 Dec 20 13:01 data
>>>>>>
>>>>>> root at filesvr:~# getfacl /data/test
>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>> # file: data/test
>>>>>> # owner: root
>>>>>> # group: SDCP\\domain\040admins
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> user:SDCP\\domain\040admins:rwx
>>>>>> user:SDCP\\domain\040users:rwx
>>>>>> group::rwx
>>>>>> group:SDCP\\domain\040admins:rwx
>>>>>> group:SDCP\\domain\040users:rwx
>>>>>> mask::rwx
>>>>>> other::---
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:user:SDCP\\domain\040users:rwx
>>>>>> default:group::r-x
>>>>>> default:group:SDCP\\domain\040admins:r-x
>>>>>> default:group:SDCP\\domain\040users:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::r-x
>>>>>
>>>>> OK, your user should be able to get to the 'data' directory via
>>>>> 'others'
>>>>>
>>>>> drwxr-xr-x 16 root root 4096 Dec 20 13:01 data
>>>>>
>>>>> Where, because the permissions are these:
>>>>>
>>>>> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>>>>>
>>>>> His membership of Domain Admins should allow entry into 'test'
>>>>>
>>>>> However, you also wrote this 'On a different server showing my
>>>>> membership', what do you get if you run 'groups' on 'filesvr' ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> ok, on the filsvr I can get to things as me:
>>>> SDCP\peter at filesvr:~$ groups
>>>> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain
>>>> users SDCP\denied rodc password replication group SDCP\dbusers
>>>> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users
>>>> SDCP\peter at filesvr:~$ cd /data/test
>>>> SDCP\peter at filesvr:/data/test$ ls
>>>> officefld peter-ad.txt peter.txt root.txt test Windows.txt
>>>> SDCP\peter at filesvr:/data/test$ cat peter.txt
>>>>
>>>> test from peter
>>>>
>>>> however on windows, I get acces denied both when trying to set
>>>> permissions via computer management on the root of the share as
>>>> well as when trying to access the share via file explorer
>>>
>>>
>>> I am using Samba 4.17.5 on a test machine with a share set up
>>> exactly like yours and using computer management on a Win10
>>> computer, everything works for myself.
>>>
>>> After comparing your smb.conf with mine, could you please try adding
>>> 'winbind expand groups = 2' to your smb.conf, reload or restart
>>> Samba and try again.
>>>
>>> Rowland
>>>
>>>
>> winbind expand groups = 2 didn't help. Same error on windows,
>> nothing in the event viewer and no logs in /var/log/samba, perhaps a
>> higher logging setting is needed? I am running on Version
>> 4.15.13-Ubuntu, I could do a tcpdump if that helps, but I'd need to
>> read up on what you would need for that
>
> This is weird, it just works for myself, the only other differences
> between my smb.conf and yours is these lines:
>
> disable netbios = Yes
> dns proxy = No
> min domain uid = 0
> username map = /etc/samba/user.map
>
> The last one relies on a file containing this line:
>
> !root = SDCP\Administrator
>
> have you tried running 'net cache flush' on the Linux machine ?
> Could Apparmor be getting in the way ?
>
> Rowland
>
bumping the log to 5, there are a few more lines right before
NT_STATUS_ACCESS_DENIED, could the EA error be a clue?
[2023/03/28 10:37:19.643508, 5]
../../source3/smbd/vfs.c:1334(check_reduced_name)
check_reduced_name: . reduced to /data/test
[2023/03/28 10:37:19.643539, 5] ../../source3/smbd/dosmode.c:177(unix_mode)
unix_mode: unix_mode(.) returning 0666
[2023/03/28 10:37:19.643605, 5]
../../source3/smbd/dosmode.c:396(fget_ea_dos_attribute)
fget_ea_dos_attribute: Cannot get attribute from EA on file .: Error
= No data available
[2023/03/28 10:37:19.643652, 4]
../../source3/smbd/open.c:3808(open_file_ntcreate)
calling open_file with flags=0x0 flags2=0x800 mode=0666, access_mask
= 0x20080, open_access_mask = 0x20080
[2023/03/28 10:37:19.643680, 5]
../../source3/smbd/open.c:4427(open_directory)
open_directory: opening directory ., access_mask = 0x20080,
share_access = 0x7 create_options = 0x200000, create_disposition = 0x1,
file_attributes = 0x10
More information about the samba
mailing list