Web lists-archives.com

Re: [Samba] Computer Management - Share Security - No Read Access




I'm getting an inkling on the problem.

In my OLD WinNT style Domain setup, I copies all my
files to another windows machine.  I then setup the
new server and once I established a connection which
I thought was stable, I copied all the files back
to the new server on the AD Domain.

I strongly suspect that the problem has to do with
the resulting ACLs and permissions from copying between
the two domains.



On 2019-02-19 5:30 pm, L.P.H. van Belle wrote:
I suggest you start with :
1770 /server	(+ creator owner )
3770 /server/programs ( + creator owner + creator group. )

Then check again with getfacl


Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Marco Shmerykowsky via samba
Verzonden: dinsdag 19 februari 2019 23:13
Aan: Rowland Penny
CC: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] Computer Management - Share Security -
No Read Access


>> On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:
>> > On Tue, 19 Feb 2019 16:13:27 -0500
>> > Marco Shmerykowsky <marco@xxxxxxxxxxxxxxxxx> wrote:
>> >
>> >>
>> >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote:
>> >> > On Tue, 19 Feb 2019 15:25:51 -0500
>> >>
>> >> >> What exactly does "START AGAIN" imply? Just chmod?
>> >> >
>> >> > 'ls' shows the correct ownership and Unix permissions:
>> >> >
>> >> > drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
>> >> > programs
>> >> >
>> >> > But 'getfacl' show something different:
>> >> >
>> >> > getfacl: Removing leading '/' from absolute path names
>> >> > # file: server
>> >> > # owner: root
>> >> > # group: root
>> >> > user::rwx
>> >> > group::r-x
>> >> > other::r-x
>> >> >
>> >> > So what I am suggesting is that you use 'setfacl' to
remove the
>> >> > extended ACL's, it is the only thing I can see
different between
>> >> > my working system and your non-working system
>> >> >
>> >> > Rowland
>> >>
>> >> root@machine253:/server# setfacl -b /server/users
>> >>
>> >> root@machine253:/server# chmod 0770 /server/programs
>> >> root@machine253:/server# ls -l
>> >> total 20
>> >> drwxrwx--- 4 root          domain admins 4096 Feb 17
19:13 programs
>> >>
>> >>
>> >> root@machine253:/server# getfacl /server/programs
>> >> getfacl: Removing leading '/' from absolute path names
>> >> # file: server/programs
>> >> # owner: root
>> >> # group: domain\040admins
>> >> user::rwx
>> >> group::rwx
>> >> other::---
>> >>
>> >> No Change
>> >
>> > When you say 'No Change' I take it you mean that it is still not
>> > working from Windows, because there is a change on the Unix side,
>> > 'Domain Admins' now has the required Unix permissions.
>>
>> Correct.  In Computer Manager I can not access anything on the
>> share except for the share permissions.
>>
>> I've also been trying to create "user directory" using %LogonUser%
>> via a group profile.  That deosn't seem to be working, but I don't
>> know if it's related.
>> >
>> > One other thing, I cannot remember asking if Apparmor or
Selinux is
>> > installed and enabled.
>> >
>> > Rowland
>>
>> I tried sestatus and apparmor_status and bith returned 'command not
>> found'
>> so I assume they're not running.  I installed Debian 9
from the LiveCD
>> with the cinnamon desktop.
>
> OK, it is late here, but just in case something has
changed, I will set
> up a new Debian 9 VM tommorrow, install the distro Samba
Packages and
> follow the Samba wiki page.
>
> Can you confirm that you are using Samba from Debian 9.
> You seem to be using '/server' as the shared directory, is this
> correct ?
> What Windows version are you using ? (I know you may have
already said,
> but it saves me looking it up)
>
> Rowland

Debian 9 -> uname -r -> 4.9.0-8-686

This is the iso I used:
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hy
brid/debian-live-9.8.0-amd64-cinnamon.iso

Windows 10 (version 1803)

The file directory for the various shares is '/server'

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba