Web lists-archives.com

Re: [Samba] Computer Management - Share Security - No Read Access




On Tue, 19 Feb 2019 13:26:12 -0500
Marco Shmerykowsky via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> On 2019-02-18 11:46 am, Rowland Penny via samba wrote:
> > On Mon, 18 Feb 2019 10:58:01 -0500
> > 
> > I have proven that it does work, I have pointed you at the
> > documentation.
> > This leads to one of two things:
> > 
> > You cannot understand the wiki pages and if so, what can you not
> > understand ? If you can let me know, I will try to clarify it for
> > you and update the wiki.
> > 
> > You are not fully following the wiki.
> > 
> > As I said, it works for myself and numerous other people.
> > 
> > Rowland
> 
> ok.  I find my eyesight is resulting in stupid typos.
> I concede that I may have dome something totally stupid
> due to lack of familiarity with Linux, Windows, etc
> settings/configurations.
> 
> However ......
> 
> Following 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> ** Samba Extended ACL Support
>     (CHECK - Expected result returned)
> 
> root@machine253:/# smbd -b |grep HAVE_LIBACL
>     HAVE_LIBACL
> 
> ** Enable Extended ACL Support in the smb.conf file
>     (CHECK - Specified lines are part of [global] section - Full
> smb.conf provided)
> 
> [global]
>          workgroup = INTERNAL
>          security = ADS
>          realm = INTERNAL.COMPANY.COM
>          server string = Samba 4 Client %h
> 
>          winbind use default domain = yes
>          winbind expand groups = 2
>          winbind refresh tickets = yes
> 
>          ## map ids outside of domain to tdb files
>          idmap config *:backend - tdb
>          idmap config *:range = 2000-9999
> 
>          ## map ids from the domain
>          idmap config INTERNAL : backend = rid
>          idmap config INTERNAL : range = 10000-999999
> 
>          # uncomment next line to allow login
>          # template shell = /bin/bash
>          template homedir = /home/%U
> 
>          domain master =  no
>          local master = no
>          preferred master = no
> 
>          # user administrator workaround
>          username map = /etc/samba/user.map

Just to check, what is in the user.map ?

> 
>          # for ACL support on domain member
> ->      vfs objects = acl_xattr
> ->      map acl inherit = yes
> ->      store dos attributes = yes
> 
>          # disable printing completely
>          # Remove these lines to print
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> 
>          # logging = 0
>          # Change the number to raise level
>          log level = 0
> 
> [programs]
>          path = /server/programs
>          read only = no
> 
> ** Granting the SeDiskOperatorPrivilege Privilege
>     (CHECK - results as expected)
> 
> root@machine253:/# net rpc rights list privileges 
> SeDiskOperatorPrivilege -U "INTERNAL\administrator"
> Enter INTERNAL\administrator's password:
> SeDiskOperatorPrivilege:
>    BUILTIN\Administrators
>    INTERNAL\Domain Admins

If you run 'getent group Domain\ Admins', do you get 'Administrator'
listed as a group member e.g.

domain_admins:x:10512:administrator,rowland,.........

> 
> ** Create Share & Set permissions
> 
> root@sce253:/# ls -la /server
> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13 programs

Something seems to have happened, note the '+' sign at the end of the
Unix permissions, what does 'getfacl /server' show ?

> 
> ** Login to Windows10 client with INTERNAL\administrator
>     and launch Server Manager -> Computer Manager
> 
>     Action/Connect to another Computer -> Machine253
> 
>     Open System Tools/Shared Folders/Shares menu
> 
>     Right click properties of "programs" share
> 
>     Share permissions assigned to INTERNAL\programs
>     (INTERNAL\Programs is a group created which includes
>      users which are allowed to have access to the programs share)
> 
>     Security tab shows:
> 
>     "You must have permissions to view the properties
>      of this object"
>     (The 'Object' is \\Machine253\programs)

This is very strange, it should work, are the 'attr' and 'acl'
packages installed ?
 
Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba