Web lists-archives.com

Re: [Samba] Computer Management - Share Security - No Read Access





On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
On Thu, 21 Feb 2019 10:39:47 -0500
Marco Shmerykowsky <marco@xxxxxxxxxxxxxxxxx> wrote:


On 2019-02-20 7:12 am, Rowland Penny wrote:
> On Wed, 20 Feb 2019 11:02:55 +0000
> Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> On Tue, 19 Feb 2019 22:05:12 +0000
>> Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>
>> > OK, it is late here, but just in case something has changed, I
>> > will set up a new Debian 9 VM tommorrow, install the distro Samba
>> > Packages and follow the Samba wiki page.
>> >
>> > Can you confirm that you are using Samba from Debian 9.
>> > You seem to be using '/server' as the shared directory, is this
>> > correct ?
>> > What Windows version are you using ? (I know you may have already
>> > said, but it saves me looking it up)
>> >
>> > Rowland
>> >
>>
>> OK, it (as I expected) works, I will clean up my notes and send
>> the OP a copy.
>>
>> Rowland

Sorry to be a pain on this, but something just refuses to work
as I would expect.  I've tried the following:

1) remove the share definition from smb.conf
2) Restart smbd
3) Remove (delete) the share directory from Linux
4) Check "Computer Management" on windows - Share is Gone
5) mkdir -p /server/share-files
6) chown root:"Domain Admins" /server/share-files
7) chmod 0770 /server/share-files
8) getfacl /server/share-files
    -> permissions match 0770
8) Restore (un-comment) share definition in smb.conf
    -> [share-files]
    ->     path = /server/share-files
    ->     read only = no
9) smbcontrol all reload-config
10) restart smbd

If you do '9', you don't need to do '10'

Expect both would achieve same.  Figured it wouldn't hurt.


11) Go into "Computer Management" on windows & get to
     "Shares" on machine253

Here is what I find odd.  The "Share permissions" tab lists
one of the groups I previously defined.  It is not a windows
"built-in" group.  I created it using samba-tool on the AD.

Ignore the 'shares' tab, just use the 'security' tab, for which a
better name would be 'NTFS permissions'


If I removed the share and then recreated it, I would expect
a 'default' listing of groups.  Instead I seem to be getting a
previous "historical" group listing if I reuse the same
share names or directory names.

Two more things:

After all of this clicking and changing, I do not get the
'+' on the directory permissions.  It still reads as a
basic 0770.  It seems having this in the share is critical
to normal behavior.  At least once that appeared on my
other server - those shares started exhibiting normal
behavior.

Second, I've discovered that if I add the "Everyone" group
to the "Share Permissions" then suddenly I can modify
the Security tab.  If I remove the "Everyone group" then
it eventually reverts to giving me the following error:

As I said above, ignore the 'Share' tab, leave 'Everyone' there.
I go now to update the wiki page (again).

Just discovered that although I can access "Security" (ie NTFS Permissions)
I get "Failed to enumerate objects in the containet. Access is denied"
when I attempt to apply the changes.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba