Web lists-archives.com

Re: [Samba] Share will Domain Users Full Control permissions, not accessible by domain user




On Thu, 21 Feb 2019 10:49:49 -0800
Mason Schmitt <mason@xxxxxxxxxxxxxxxx> wrote:

> Hi Rowland,
> 
> > template homedir = /home/%U@%D
> >
> > Nothing to do with your problem, but is the above line a typo ?
> > I would have expected the '@' to be a '/', in which case it is the
> > default, so you can remove the line.
> >
> 
> It wasn't a typo, I think it was auto-generated by something during my
> setup of this host.  It would probably be better to use '/home/%D/%U'
> 
> 
> > *# POSIX filesystem details (set using chown and chmod)*
> > >
> > > /srv/samba/users/
> > > drwxrwx---+ 2 root FTLC\domain admins.
> > >
> > > /srv/samba/shares/Operations/
> > > drwxrwx---. 2 root FTLC\domain admins
> > >
> >
> > Here we come to what I think is your problem ;-)
> > If you examine the first set of permissions, they end with a '+',
> > this means that there are extended ACL's set.
> > The second set of permissions ends with a dot '.' and is something I
> > haven't seen before, so a quick google later and I can tell you that
> > you have selinux running, does that give you any hints ;-)
> >
> 
> My problem isn't with selinux, because selinux is in permissive mode,
> not enforcing mode.
> 
> I actually managed to solve my problem, minutes after I sent this
> email to the list, but the solution does present me with further
> questions.  I ended up changing the ownership of
> the /srv/samba/shares/Operations folder from 'root:FTLC\domain
> admins' to 'root:FTLC\domain users'.  I didn't change the
> permissions, they are still 770.
> 
> I had thought that it made sense for 'root:FTLC\domain admins' to own
> the /srv/samba/shares/Operations directory, because only that user
> and group should have the ability to change share permissions.
> However, given that the change of ownership to the FTLC\domain users'
> group resolved the issue, I can see that my assumption was
> incorrect.  Therefore, am I correct in assuming that ownership of a
> given share directory needs to always be the lowest common
> denominator - ie 'FTLC\domain users'?  What are the security
> implications of this?
> 
> I'm still pretty foggy on the relationship between POSIX ownership and
> permissions, and Windows ACLs.  Is there a good resource that might
> help to clear this fog?  Or perhaps a better question might be, what
> isthe recommended POSIX permissions and ownership for a share that is
> going to use Windows ACLs and be managed, using RSAT tools, by a
> Domain Admin?
> 
> Thanks,
> Mason

Lets make the fog even thicker, when you set the permissions from
Windows (which is the best option), they don't get stored where you
think they do ;-)

You can read the Unix permissions with 'ls' and you can read what I
call posix acl's with 'getfacl', but to read the permissions set from
Windows, you need to use getfattr. The NTFS ACL's are stored in in a
file security.NTACL, this is a an Extended Attribute. This is used
with the Unix permissions to set the ACL's you get with getfacl.

This is probably as clear as mud, but it is a very complicated, try
reading this:

https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/ace-strings

Also reading 'man vfs_acl_xattr' might help

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba