Web lists-archives.com

Re: [Samba] Setting up a Share Using Windows ACLs






On 2017-04-23 17:01, Rowland Penny wrote:
On Sun, 23 Apr 2017 14:07:44 +1000
Henry via samba <samba@xxxxxxxxxxxxxxx> wrote:

Following:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

In windows:

I can set permissions under the "Share Permissions" tab.

I am unable to make ANY changes under the "Security". When I try I am
presented with:

"Remotely setting permissions on the folder at the root of a share
removes all inherited permissions from the root folder and all
subfolders.  To set permissions without removing the inherited
permissions, click No and either change the permissions on a child
folder or make the change while logged in locally"

Under "Share Permissions" I have:

Domain Admins = Full Control

Domain Users = Read & Change

As it stands I am unable to access the share (using a Domain Admins
account) however I am unable to do anything.

As it stands, when you create the share as shown on the wiki page:

# mkdir -p /srv/samba/Demo/

It ends up belonging to root:root with drwxr-xr-x permissions

Or to put it it another way the 'root' user has full permissions on
the directory, members of the 'root' group have read and enter
permissions, the same goes for any other users or groups. This all
means that members of the Domain Admins group cannot write to the
directory.

Try this:

chown root:Domain\ Admins /srv/samba/Demo/
chmod 0770 /srv/samba/Demo/

Now try to set the permissions from windows.

If this works and I am sure it will, I will update the wiki page.

Rowland

Thanks Rowland I was wondering about this not being in the guide but thought best to follow it word for word. I have made the changes suggested:

root@aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

root@aphrodite:~# chown root:Domain\ Admins /srv/samba/data/Testing/
root@aphrodite:~# chmod 0770 /srv/samba/data/Testing/

root@aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

After this I was able to access the security tab and add "Domain Admins" as per the guide without any errors however after that I am locked out again. Looking at the unix permissions I see they have now changed to the following and now I can't remove "Domain Admins" to get it back to where I was before.

root@aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::---
group:domain\040admins:---
mask::rwx
other::---


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba