Web lists-archives.com

Re: [Samba] Computer Management - Share Security - No Read Access





On 2019-02-21 11:30 am, Rowland Penny via samba wrote:
On Thu, 21 Feb 2019 11:12:05 -0500
Marco Shmerykowsky <marco@xxxxxxxxxxxxxxxxx> wrote:


On 2019-02-21 10:57 am, Rowland Penny via samba wrote:
> On Thu, 21 Feb 2019 10:39:47 -0500
> Marco Shmerykowsky <marco@xxxxxxxxxxxxxxxxx> wrote:
>
>>
>> On 2019-02-20 7:12 am, Rowland Penny wrote:
>> > On Wed, 20 Feb 2019 11:02:55 +0000
>> > Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> >
>> >> On Tue, 19 Feb 2019 22:05:12 +0000
>> >> Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> >>
>> >> > OK, it is late here, but just in case something has changed, I
>> >> > will set up a new Debian 9 VM tommorrow, install the distro
>> >> > Samba Packages and follow the Samba wiki page.
>> >> >
>> >> > Can you confirm that you are using Samba from Debian 9.
>> >> > You seem to be using '/server' as the shared directory, is
>> >> > this correct ?
>> >> > What Windows version are you using ? (I know you may have
>> >> > already said, but it saves me looking it up)
>> >> >
>> >> > Rowland
>> >> >
>> >>
>> >> OK, it (as I expected) works, I will clean up my notes and send
>> >> the OP a copy.
>> >>
>> >> Rowland
>>
>> Sorry to be a pain on this, but something just refuses to work
>> as I would expect.  I've tried the following:
>>
>> 1) remove the share definition from smb.conf
>> 2) Restart smbd
>> 3) Remove (delete) the share directory from Linux
>> 4) Check "Computer Management" on windows - Share is Gone
>> 5) mkdir -p /server/share-files
>> 6) chown root:"Domain Admins" /server/share-files
>> 7) chmod 0770 /server/share-files
>> 8) getfacl /server/share-files
>>     -> permissions match 0770
>> 8) Restore (un-comment) share definition in smb.conf
>>     -> [share-files]
>>     ->     path = /server/share-files
>>     ->     read only = no
>> 9) smbcontrol all reload-config
>> 10) restart smbd
>
> If you do '9', you don't need to do '10'

Expect both would achieve same.  Figured it wouldn't hurt.

Well yes, it doesn't hurt, you just don't need to do both ;-)


>
>> 11) Go into "Computer Management" on windows & get to
>>      "Shares" on machine253
>>
>> Here is what I find odd.  The "Share permissions" tab lists
>> one of the groups I previously defined.  It is not a windows
>> "built-in" group.  I created it using samba-tool on the AD.
>
> Ignore the 'shares' tab, just use the 'security' tab, for which a
> better name would be 'NTFS permissions'
>
>>
>> If I removed the share and then recreated it, I would expect
>> a 'default' listing of groups.  Instead I seem to be getting a
>> previous "historical" group listing if I reuse the same
>> share names or directory names.
>>
>> Two more things:
>>
>> After all of this clicking and changing, I do not get the
>> '+' on the directory permissions.  It still reads as a
>> basic 0770.  It seems having this in the share is critical
>> to normal behavior.  At least once that appeared on my
>> other server - those shares started exhibiting normal
>> behavior.
>>
>> Second, I've discovered that if I add the "Everyone" group
>> to the "Share Permissions" then suddenly I can modify
>> the Security tab.  If I remove the "Everyone group" then
>> it eventually reverts to giving me the following error:
>
> As I said above, ignore the 'Share' tab, leave 'Everyone' there.
> I go now to update the wiki page (again).

I have updated the wiki page.


Just discovered that although I can access "Security" (ie NTFS
Permissions)
I get "Failed to enumerate objects in the containet. Access is denied"
when I attempt to apply the changes.


If you followed document I sent you, it should work, but it looks like
you are not following it fully, I never mentioned the 'Share
Permissions' tab.

The "Share Permissions" was on the wiki.

With respect to your document, I'm following it to the letter.
Can't see anything I missed:

root@sce253:/# service smbd stop
root@sce253:/# rmdir /server/share-files
root@sce253:/# rmdir /server/users
root@sce253:/# cd ..
root@sce253:/# rmdir server
root@sce253:/# mkdir -p /server/share-files
root@sce253:/# mkdir -p /server/users
root@sce253:/# chown root:"Domain Admins" /server/share-files
root@sce253:/# chown root:"Domain Admins" /server/users
root@sce253:/# chmod 0770 /server/share-files
root@sce253:/# chmod 0770 /server/users
root@sce253:/# ls -l /server
total 8
drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 share-files
drwxrwx--- 2 root domain admins 4096 Feb 21 12:00 users
root@sce253:/# getfacl /server/share-files
getfacl: Removing leading '/' from absolute path names
# file: server/share-files
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

root@sce253:/# getfacl /server/users
getfacl: Removing leading '/' from absolute path names
# file: server/users
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

root@sce253:/# service smbd start

** Computer Management -> Connect to other computer
** Click thru connection warning
** Open Shared Folders
** right click "shared-files" & select properties
** Select Security Tab
** Hit 'ADD' and find and add 'programs' group. (Completes)
** Grant Full Control
** Hit OK
** Click "Yes" to remotely reset permissions

******* FAILED TO ENUMERATE OBJECTS IN CONTAINER. ACCESS IS DENIED

Can't see where I could be deviating

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba