Re: [Samba] Computer Management - Share Security - No Read Access
- Date: Tue, 19 Feb 2019 18:58:21 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Computer Management - Share Security - No Read Access
On Tue, 19 Feb 2019 13:26:12 -0500
Marco Shmerykowsky via samba <samba@xxxxxxxxxxxxxxx> wrote:
> On 2019-02-18 11:46 am, Rowland Penny via samba wrote:
> > On Mon, 18 Feb 2019 10:58:01 -0500
> > I have proven that it does work, I have pointed you at the
> > documentation.
> > This leads to one of two things:
> > You cannot understand the wiki pages and if so, what can you not
> > understand ? If you can let me know, I will try to clarify it for
> > you and update the wiki.
> > You are not fully following the wiki.
> > As I said, it works for myself and numerous other people.
> > Rowland
> ok. I find my eyesight is resulting in stupid typos.
> I concede that I may have dome something totally stupid
> due to lack of familiarity with Linux, Windows, etc
> However ......
> ** Samba Extended ACL Support
> (CHECK - Expected result returned)
> root@machine253:/# smbd -b |grep HAVE_LIBACL
> ** Enable Extended ACL Support in the smb.conf file
> (CHECK - Specified lines are part of [global] section - Full
> smb.conf provided)
> workgroup = INTERNAL
> security = ADS
> realm = INTERNAL.COMPANY.COM
> server string = Samba 4 Client %h
> winbind use default domain = yes
> winbind expand groups = 2
> winbind refresh tickets = yes
> ## map ids outside of domain to tdb files
> idmap config *:backend - tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain
> idmap config INTERNAL : backend = rid
> idmap config INTERNAL : range = 10000-999999
> # uncomment next line to allow login
> # template shell = /bin/bash
> template homedir = /home/%U
> domain master = no
> local master = no
> preferred master = no
> # user administrator workaround
> username map = /etc/samba/user.map
Just to check, what is in the user.map ?
> # for ACL support on domain member
> -> vfs objects = acl_xattr
> -> map acl inherit = yes
> -> store dos attributes = yes
> # disable printing completely
> # Remove these lines to print
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> # logging = 0
> # Change the number to raise level
> log level = 0
> path = /server/programs
> read only = no
> ** Granting the SeDiskOperatorPrivilege Privilege
> (CHECK - results as expected)
> root@machine253:/# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "INTERNAL\administrator"
> Enter INTERNAL\administrator's password:
> INTERNAL\Domain Admins
If you run 'getent group Domain\ Admins', do you get 'Administrator'
listed as a group member e.g.
> ** Create Share & Set permissions
> root@sce253:/# ls -la /server
> drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programs
Something seems to have happened, note the '+' sign at the end of the
Unix permissions, what does 'getfacl /server' show ?
> ** Login to Windows10 client with INTERNAL\administrator
> and launch Server Manager -> Computer Manager
> Action/Connect to another Computer -> Machine253
> Open System Tools/Shared Folders/Shares menu
> Right click properties of "programs" share
> Share permissions assigned to INTERNAL\programs
> (INTERNAL\Programs is a group created which includes
> users which are allowed to have access to the programs share)
> Security tab shows:
> "You must have permissions to view the properties
> of this object"
> (The 'Object' is \\Machine253\programs)
This is very strange, it should work, are the 'attr' and 'acl'
packages installed ?
To unsubscribe from this list go to the following URL and read the