Web lists-archives.com

Re: [Samba] Computer Management - Share Security - No Read Access





On 2019-02-18 11:46 am, Rowland Penny via samba wrote:
On Mon, 18 Feb 2019 10:58:01 -0500

I have proven that it does work, I have pointed you at the
documentation.
This leads to one of two things:

You cannot understand the wiki pages and if so, what can you not
understand ? If you can let me know, I will try to clarify it for you
and update the wiki.

You are not fully following the wiki.

As I said, it works for myself and numerous other people.

Rowland

ok.  I find my eyesight is resulting in stupid typos.
I concede that I may have dome something totally stupid
due to lack of familiarity with Linux, Windows, etc
settings/configurations.

However ......

Following https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

** Samba Extended ACL Support
   (CHECK - Expected result returned)

root@machine253:/# smbd -b |grep HAVE_LIBACL
   HAVE_LIBACL

** Enable Extended ACL Support in the smb.conf file
(CHECK - Specified lines are part of [global] section - Full smb.conf provided)

[global]
        workgroup = INTERNAL
        security = ADS
        realm = INTERNAL.COMPANY.COM
        server string = Samba 4 Client %h

        winbind use default domain = yes
        winbind expand groups = 2
        winbind refresh tickets = yes

        ## map ids outside of domain to tdb files
        idmap config *:backend - tdb
        idmap config *:range = 2000-9999

        ## map ids from the domain
        idmap config INTERNAL : backend = rid
        idmap config INTERNAL : range = 10000-999999

        # uncomment next line to allow login
        # template shell = /bin/bash
        template homedir = /home/%U

        domain master =  no
        local master = no
        preferred master = no

        # user administrator workaround
        username map = /etc/samba/user.map

        # for ACL support on domain member
->      vfs objects = acl_xattr
->      map acl inherit = yes
->      store dos attributes = yes

        # disable printing completely
        # Remove these lines to print
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        # logging = 0
        # Change the number to raise level
        log level = 0

[programs]
        path = /server/programs
        read only = no

** Granting the SeDiskOperatorPrivilege Privilege
   (CHECK - results as expected)

root@machine253:/# net rpc rights list privileges SeDiskOperatorPrivilege -U "INTERNAL\administrator"
Enter INTERNAL\administrator's password:
SeDiskOperatorPrivilege:
  BUILTIN\Administrators
  INTERNAL\Domain Admins

** Create Share & Set permissions

root@sce253:/# ls -la /server
drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13 programs

** Login to Windows10 client with INTERNAL\administrator
   and launch Server Manager -> Computer Manager

   Action/Connect to another Computer -> Machine253

   Open System Tools/Shared Folders/Shares menu

   Right click properties of "programs" share

   Share permissions assigned to INTERNAL\programs
   (INTERNAL\Programs is a group created which includes
    users which are allowed to have access to the programs share)

   Security tab shows:

   "You must have permissions to view the properties
    of this object"
   (The 'Object' is \\Machine253\programs)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba