Web lists-archives.com

Re: [Samba] Computer Management - Share Security - No Read Access




I suggest you start with : 
1770 /server	(+ creator owner ) 
3770 /server/programs ( + creator owner + creator group. ) 

Then check again with getfacl


Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Shmerykowsky via samba
> Verzonden: dinsdag 19 februari 2019 23:13
> Aan: Rowland Penny
> CC: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Computer Management - Share Security - 
> No Read Access
> 
> 
> >> On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:
> >> > On Tue, 19 Feb 2019 16:13:27 -0500
> >> > Marco Shmerykowsky <marco@xxxxxxxxxxxxxxxxx> wrote:
> >> >
> >> >>
> >> >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote:
> >> >> > On Tue, 19 Feb 2019 15:25:51 -0500
> >> >>
> >> >> >> What exactly does "START AGAIN" imply? Just chmod?
> >> >> >
> >> >> > 'ls' shows the correct ownership and Unix permissions:
> >> >> >
> >> >> > drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
> >> >> > programs
> >> >> >
> >> >> > But 'getfacl' show something different:
> >> >> >
> >> >> > getfacl: Removing leading '/' from absolute path names
> >> >> > # file: server
> >> >> > # owner: root
> >> >> > # group: root
> >> >> > user::rwx
> >> >> > group::r-x
> >> >> > other::r-x
> >> >> >
> >> >> > So what I am suggesting is that you use 'setfacl' to 
> remove the
> >> >> > extended ACL's, it is the only thing I can see 
> different between
> >> >> > my working system and your non-working system
> >> >> >
> >> >> > Rowland
> >> >>
> >> >> root@machine253:/server# setfacl -b /server/users
> >> >>
> >> >> root@machine253:/server# chmod 0770 /server/programs
> >> >> root@machine253:/server# ls -l
> >> >> total 20
> >> >> drwxrwx--- 4 root          domain admins 4096 Feb 17 
> 19:13 programs
> >> >>
> >> >>
> >> >> root@machine253:/server# getfacl /server/programs
> >> >> getfacl: Removing leading '/' from absolute path names
> >> >> # file: server/programs
> >> >> # owner: root
> >> >> # group: domain\040admins
> >> >> user::rwx
> >> >> group::rwx
> >> >> other::---
> >> >>
> >> >> No Change
> >> >
> >> > When you say 'No Change' I take it you mean that it is still not
> >> > working from Windows, because there is a change on the Unix side,
> >> > 'Domain Admins' now has the required Unix permissions.
> >> 
> >> Correct.  In Computer Manager I can not access anything on the
> >> share except for the share permissions.
> >> 
> >> I've also been trying to create "user directory" using %LogonUser%
> >> via a group profile.  That deosn't seem to be working, but I don't
> >> know if it's related.
> >> >
> >> > One other thing, I cannot remember asking if Apparmor or 
> Selinux is
> >> > installed and enabled.
> >> >
> >> > Rowland
> >> 
> >> I tried sestatus and apparmor_status and bith returned 'command not
> >> found'
> >> so I assume they're not running.  I installed Debian 9 
> from the LiveCD
> >> with the cinnamon desktop.
> > 
> > OK, it is late here, but just in case something has 
> changed, I will set
> > up a new Debian 9 VM tommorrow, install the distro Samba 
> Packages and
> > follow the Samba wiki page.
> > 
> > Can you confirm that you are using Samba from Debian 9.
> > You seem to be using '/server' as the shared directory, is this
> > correct ?
> > What Windows version are you using ? (I know you may have 
> already said,
> > but it saves me looking it up)
> > 
> > Rowland
> 
> Debian 9 -> uname -r -> 4.9.0-8-686
> 
> This is the iso I used: 
> https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hy
brid/debian-live-9.8.0-amd64-cinnamon.iso
> 
> Windows 10 (version 1803)
> 
> The file directory for the various shares is '/server'
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba