samba - Apr 2017 - Setting up a Share Using Windows ACLs

Following: 

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 

In windows: 

I can set permissions under the "Share Permissions" tab. 

I am unable to make ANY changes under the "Security". When I try I am
presented with: 

"Remotely setting permissions on the folder at the root of a share
removes all inherited permissions from the root folder and all
subfolders.  To set permissions without removing the inherited
permissions, click No and either change the permissions on a child
folder or make the change while logged in locally" 

Under "Share Permissions" I have: 

Domain Admins = Full Control 

Domain Users = Read & Change 

As it stands I am unable to access the share (using a Domain Admins
account) however I am unable to do anything.

On Sun, 23 Apr 2017 14:07:44 +1000
Henry via samba <samba at lists.samba.org> wrote:
> Following: 
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
> 
> In windows: 
> 
> I can set permissions under the "Share Permissions" tab. 
> 
> I am unable to make ANY changes under the "Security". When I try
I am
> presented with: 
> 
> "Remotely setting permissions on the folder at the root of a share
> removes all inherited permissions from the root folder and all
> subfolders.  To set permissions without removing the inherited
> permissions, click No and either change the permissions on a child
> folder or make the change while logged in locally" 
> 
> Under "Share Permissions" I have: 
> 
> Domain Admins = Full Control 
> 
> Domain Users = Read & Change 
> 
> As it stands I am unable to access the share (using a Domain Admins
> account) however I am unable to do anything.
As it stands, when you create the share as shown on the wiki page:

# mkdir -p /srv/samba/Demo/

It ends up belonging to root:root with drwxr-xr-x permissions

Or to put it it another way the 'root' user has full permissions on
the directory, members of the 'root' group have read and enter
permissions, the same goes for any other users or groups. This all
means that members of the Domain Admins group cannot write to the
directory.

Try this:

chown root:Domain\ Admins /srv/samba/Demo/
chmod 0770 /srv/samba/Demo/

Now try to set the permissions from windows.

If this works and I am sure it will, I will update the wiki page.

Rowland

On 2017-04-23 17:01, Rowland Penny wrote:
> On Sun, 23 Apr 2017 14:07:44 +1000
> Henry via samba <samba at lists.samba.org> wrote:
> 
>> Following:
>> 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> 
>> In windows:
>> 
>> I can set permissions under the "Share Permissions" tab.
>> 
>> I am unable to make ANY changes under the "Security". When I
try I am
>> presented with:
>> 
>> "Remotely setting permissions on the folder at the root of a share
>> removes all inherited permissions from the root folder and all
>> subfolders.  To set permissions without removing the inherited
>> permissions, click No and either change the permissions on a child
>> folder or make the change while logged in locally"
>> 
>> Under "Share Permissions" I have:
>> 
>> Domain Admins = Full Control
>> 
>> Domain Users = Read & Change
>> 
>> As it stands I am unable to access the share (using a Domain Admins
>> account) however I am unable to do anything.
> 
> As it stands, when you create the share as shown on the wiki page:
> 
> # mkdir -p /srv/samba/Demo/
> 
> It ends up belonging to root:root with drwxr-xr-x permissions
> 
> Or to put it it another way the 'root' user has full permissions on
> the directory, members of the 'root' group have read and enter
> permissions, the same goes for any other users or groups. This all
> means that members of the Domain Admins group cannot write to the
> directory.
> 
> Try this:
> 
> chown root:Domain\ Admins /srv/samba/Demo/
> chmod 0770 /srv/samba/Demo/
> 
> Now try to set the permissions from windows.
> 
> If this works and I am sure it will, I will update the wiki page.
> 
> Rowland
Thanks Rowland I was wondering about this not being in the guide but 
thought best to follow it word for word. I have made the changes 
suggested:

root at aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

root at aphrodite:~# chown root:Domain\ Admins /srv/samba/data/Testing/
root at aphrodite:~# chmod 0770 /srv/samba/data/Testing/

root at aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

After this I was able to access the security tab and add "Domain
Admins"
as per the guide without any errors however after that I am locked out 
again. Looking at the unix permissions I see they have now changed to 
the following and now I can't remove "Domain Admins" to get it
back to
where I was before.

root at aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::---
group:domain\040admins:---
mask::rwx
other::---