Web lists-archives.com

Re: [Samba] Computer Management - Share Security - No Read Access




I somehow got one server to behave properly. (I created shares on two different but similarly configured servers).

The difference between the server that 'works' and the one that 'doesn't ' appears to have to do with the assignment of ACL's to the root of the share. In the case of the wiki example, it would be the "Demo" in /srv/samba/Demo. 

The permissions for the properly behaved directory have a '+'  at the end of the definition (ex. drwxr_xr_x+).  Not sure how I created it tho'
--

Marco J. Shmerykowsky, PE, F.ASCE
marco@xxxxxxxxxxxxxxxxx

-----------------------------------------------------------------
Shmerykowsky Consulting Engineers
        Structural Analysis & Design
     102 West 38th Street, 2nd Floor
         New York, New York 10018
Tel. (212) 719-9700 Fax. (212) 719-4822
      http://www.sce-engineers.com
 ----------------------------------------------------------------


On February 19, 2019 6:27:14 PM EST, Marco Shmerykowsky via samba <samba@xxxxxxxxxxxxxxx> wrote:
>I'm getting an inkling on the problem.
>
>In my OLD WinNT style Domain setup, I copies all my
>files to another windows machine.  I then setup the
>new server and once I established a connection which
>I thought was stable, I copied all the files back
>to the new server on the AD Domain.
>
>I strongly suspect that the problem has to do with
>the resulting ACLs and permissions from copying between
>the two domains.
>
>
>
>On 2019-02-19 5:30 pm, L.P.H. van Belle wrote:
>> I suggest you start with :
>> 1770 /server	(+ creator owner )
>> 3770 /server/programs ( + creator owner + creator group. )
>> 
>> Then check again with getfacl
>> 
>> 
>> Greetz,
>> 
>> Louis
>> 
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
>>> Marco Shmerykowsky via samba
>>> Verzonden: dinsdag 19 februari 2019 23:13
>>> Aan: Rowland Penny
>>> CC: samba@xxxxxxxxxxxxxxx
>>> Onderwerp: Re: [Samba] Computer Management - Share Security -
>>> No Read Access
>>> 
>>> 
>>> >> On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:
>>> >> > On Tue, 19 Feb 2019 16:13:27 -0500
>>> >> > Marco Shmerykowsky <marco@xxxxxxxxxxxxxxxxx> wrote:
>>> >> >
>>> >> >>
>>> >> >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote:
>>> >> >> > On Tue, 19 Feb 2019 15:25:51 -0500
>>> >> >>
>>> >> >> >> What exactly does "START AGAIN" imply? Just chmod?
>>> >> >> >
>>> >> >> > 'ls' shows the correct ownership and Unix permissions:
>>> >> >> >
>>> >> >> > drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
>>> >> >> > programs
>>> >> >> >
>>> >> >> > But 'getfacl' show something different:
>>> >> >> >
>>> >> >> > getfacl: Removing leading '/' from absolute path names
>>> >> >> > # file: server
>>> >> >> > # owner: root
>>> >> >> > # group: root
>>> >> >> > user::rwx
>>> >> >> > group::r-x
>>> >> >> > other::r-x
>>> >> >> >
>>> >> >> > So what I am suggesting is that you use 'setfacl' to
>>> remove the
>>> >> >> > extended ACL's, it is the only thing I can see
>>> different between
>>> >> >> > my working system and your non-working system
>>> >> >> >
>>> >> >> > Rowland
>>> >> >>
>>> >> >> root@machine253:/server# setfacl -b /server/users
>>> >> >>
>>> >> >> root@machine253:/server# chmod 0770 /server/programs
>>> >> >> root@machine253:/server# ls -l
>>> >> >> total 20
>>> >> >> drwxrwx--- 4 root          domain admins 4096 Feb 17
>>> 19:13 programs
>>> >> >>
>>> >> >>
>>> >> >> root@machine253:/server# getfacl /server/programs
>>> >> >> getfacl: Removing leading '/' from absolute path names
>>> >> >> # file: server/programs
>>> >> >> # owner: root
>>> >> >> # group: domain\040admins
>>> >> >> user::rwx
>>> >> >> group::rwx
>>> >> >> other::---
>>> >> >>
>>> >> >> No Change
>>> >> >
>>> >> > When you say 'No Change' I take it you mean that it is still
>not
>>> >> > working from Windows, because there is a change on the Unix
>side,
>>> >> > 'Domain Admins' now has the required Unix permissions.
>>> >>
>>> >> Correct.  In Computer Manager I can not access anything on the
>>> >> share except for the share permissions.
>>> >>
>>> >> I've also been trying to create "user directory" using
>%LogonUser%
>>> >> via a group profile.  That deosn't seem to be working, but I
>don't
>>> >> know if it's related.
>>> >> >
>>> >> > One other thing, I cannot remember asking if Apparmor or
>>> Selinux is
>>> >> > installed and enabled.
>>> >> >
>>> >> > Rowland
>>> >>
>>> >> I tried sestatus and apparmor_status and bith returned 'command
>not
>>> >> found'
>>> >> so I assume they're not running.  I installed Debian 9
>>> from the LiveCD
>>> >> with the cinnamon desktop.
>>> >
>>> > OK, it is late here, but just in case something has
>>> changed, I will set
>>> > up a new Debian 9 VM tommorrow, install the distro Samba
>>> Packages and
>>> > follow the Samba wiki page.
>>> >
>>> > Can you confirm that you are using Samba from Debian 9.
>>> > You seem to be using '/server' as the shared directory, is this
>>> > correct ?
>>> > What Windows version are you using ? (I know you may have
>>> already said,
>>> > but it saves me looking it up)
>>> >
>>> > Rowland
>>> 
>>> Debian 9 -> uname -r -> 4.9.0-8-686
>>> 
>>> This is the iso I used:
>>> https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hy
>> brid/debian-live-9.8.0-amd64-cinnamon.iso
>>> 
>>> Windows 10 (version 1803)
>>> 
>>> The file directory for the various shares is '/server'
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba