Re: [Samba] Computer Management - Share Security - No Read Access
- Date: Tue, 19 Feb 2019 14:44:05 -0500
- From: Marco Shmerykowsky via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Computer Management - Share Security - No Read Access
On 2019-02-19 1:58 pm, Rowland Penny via samba wrote:
On Tue, 19 Feb 2019 13:26:12 -0500
Marco Shmerykowsky via samba <samba@xxxxxxxxxxxxxxx> wrote:
On 2019-02-18 11:46 am, Rowland Penny via samba wrote:
> On Mon, 18 Feb 2019 10:58:01 -0500
> I have proven that it does work, I have pointed you at the
> This leads to one of two things:
> You cannot understand the wiki pages and if so, what can you not
> understand ? If you can let me know, I will try to clarify it for
> you and update the wiki.
> You are not fully following the wiki.
> As I said, it works for myself and numerous other people.
ok. I find my eyesight is resulting in stupid typos.
I concede that I may have dome something totally stupid
due to lack of familiarity with Linux, Windows, etc
** Samba Extended ACL Support
(CHECK - Expected result returned)
root@machine253:/# smbd -b |grep HAVE_LIBACL
** Enable Extended ACL Support in the smb.conf file
(CHECK - Specified lines are part of [global] section - Full
workgroup = INTERNAL
security = ADS
realm = INTERNAL.COMPANY.COM
server string = Samba 4 Client %h
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = yes
## map ids outside of domain to tdb files
idmap config *:backend - tdb
idmap config *:range = 2000-9999
## map ids from the domain
idmap config INTERNAL : backend = rid
idmap config INTERNAL : range = 10000-999999
# uncomment next line to allow login
# template shell = /bin/bash
template homedir = /home/%U
domain master = no
local master = no
preferred master = no
# user administrator workaround
username map = /etc/samba/user.map
Just to check, what is in the user.map ?
root@machine253:/etc/samba# cat user.map
!root = INTERNAL\Administrator INTERNAL\administrator Administrator
# for ACL support on domain member
-> vfs objects = acl_xattr
-> map acl inherit = yes
-> store dos attributes = yes
# disable printing completely
# Remove these lines to print
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logging = 0
# Change the number to raise level
log level = 0
path = /server/programs
read only = no
** Granting the SeDiskOperatorPrivilege Privilege
(CHECK - results as expected)
root@machine253:/# net rpc rights list privileges
SeDiskOperatorPrivilege -U "INTERNAL\administrator"
Enter INTERNAL\administrator's password:
If you run 'getent group Domain\ Admins', do you get 'Administrator'
listed as a group member e.g.
root@machine253:/etc/samba# getent group Domain\ Admins
** Create Share & Set permissions
root@sce253:/# ls -la /server
drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programs
Something seems to have happened, note the '+' sign at the end of the
Unix permissions, what does 'getfacl /server' show ?
root@machine253:/etc/samba# getfacl /server
getfacl: Removing leading '/' from absolute path names
# file: server
# owner: root
# group: root
** Login to Windows10 client with INTERNAL\administrator
and launch Server Manager -> Computer Manager
Action/Connect to another Computer -> Machine253
Open System Tools/Shared Folders/Shares menu
Right click properties of "programs" share
Share permissions assigned to INTERNAL\programs
(INTERNAL\Programs is a group created which includes
users which are allowed to have access to the programs share)
Security tab shows:
"You must have permissions to view the properties
of this object"
(The 'Object' is \\Machine253\programs)
This is very strange, it should work, are the 'attr' and 'acl'
packages installed ?
I ran this command from the Debian section of the
"Distribution specific Package Installation" on the wiki.
# apt-get install samba attr winbind libpam-winbind libnss-winbind
libpam-krb5 krb5-config krb5-user
Foe it's worth, Group policy is mapping the drives and the
various shares are being restricted to the proper groups.
I can also set folder/directory permissions on the share
by navigating directly to the share using a UNC path.
Just know that the last part of the "Setting Share Permissions
and ACL's" on the wiki doesn't allow for anything to be
modified on the 'Security' tab.
Not sure if this is "as designed" or did I do something
which will create problems later.
To unsubscribe from this list go to the following URL and read the