On 2017-04-23 17:01, Rowland Penny wrote:> On Sun, 23 Apr 2017 14:07:44 +1000 > Henry via samba <samba at lists.samba.org> wrote: > >> Following: >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> >> In windows: >> >> I can set permissions under the "Share Permissions" tab. >> >> I am unable to make ANY changes under the "Security". When I try I am >> presented with: >> >> "Remotely setting permissions on the folder at the root of a share >> removes all inherited permissions from the root folder and all >> subfolders. To set permissions without removing the inherited >> permissions, click No and either change the permissions on a child >> folder or make the change while logged in locally" >> >> Under "Share Permissions" I have: >> >> Domain Admins = Full Control >> >> Domain Users = Read & Change >> >> As it stands I am unable to access the share (using a Domain Admins >> account) however I am unable to do anything. > > As it stands, when you create the share as shown on the wiki page: > > # mkdir -p /srv/samba/Demo/ > > It ends up belonging to root:root with drwxr-xr-x permissions > > Or to put it it another way the 'root' user has full permissions on > the directory, members of the 'root' group have read and enter > permissions, the same goes for any other users or groups. This all > means that members of the Domain Admins group cannot write to the > directory. > > Try this: > > chown root:Domain\ Admins /srv/samba/Demo/ > chmod 0770 /srv/samba/Demo/ > > Now try to set the permissions from windows. > > If this works and I am sure it will, I will update the wiki page. > > RowlandThanks Rowland I was wondering about this not being in the guide but thought best to follow it word for word. I have made the changes suggested: root at aphrodite:~# getfacl /srv/samba/data/Testing getfacl: Removing leading '/' from absolute path names # file: srv/samba/data/Testing # owner: root # group: root user::rwx group::r-x other::r-x root at aphrodite:~# chown root:Domain\ Admins /srv/samba/data/Testing/ root at aphrodite:~# chmod 0770 /srv/samba/data/Testing/ root at aphrodite:~# getfacl /srv/samba/data/Testing getfacl: Removing leading '/' from absolute path names # file: srv/samba/data/Testing # owner: root # group: domain\040admins user::rwx group::rwx other::--- After this I was able to access the security tab and add "Domain Admins" as per the guide without any errors however after that I am locked out again. Looking at the unix permissions I see they have now changed to the following and now I can't remove "Domain Admins" to get it back to where I was before. root at aphrodite:~# getfacl /srv/samba/data/Testing getfacl: Removing leading '/' from absolute path names # file: srv/samba/data/Testing # owner: root # group: domain\040admins user::rwx user:root:rwx group::--- group:domain\040admins:--- mask::rwx other::---
On 2017-04-23 17:19, Henry via samba wrote:> On 2017-04-23 17:01, Rowland Penny wrote: >> On Sun, 23 Apr 2017 14:07:44 +1000 >> Henry via samba <samba at lists.samba.org> wrote: >> >>> Following: >>> >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >>> >>> In windows: >>> >>> I can set permissions under the "Share Permissions" tab. >>> >>> I am unable to make ANY changes under the "Security". When I try I am >>> presented with: >>> >>> "Remotely setting permissions on the folder at the root of a share >>> removes all inherited permissions from the root folder and all >>> subfolders. To set permissions without removing the inherited >>> permissions, click No and either change the permissions on a child >>> folder or make the change while logged in locally" >>> >>> Under "Share Permissions" I have: >>> >>> Domain Admins = Full Control >>> >>> Domain Users = Read & Change >>> >>> As it stands I am unable to access the share (using a Domain Admins >>> account) however I am unable to do anything. >> >> As it stands, when you create the share as shown on the wiki page: >> >> # mkdir -p /srv/samba/Demo/ >> >> It ends up belonging to root:root with drwxr-xr-x permissions >> >> Or to put it it another way the 'root' user has full permissions on >> the directory, members of the 'root' group have read and enter >> permissions, the same goes for any other users or groups. This all >> means that members of the Domain Admins group cannot write to the >> directory. >> >> Try this: >> >> chown root:Domain\ Admins /srv/samba/Demo/ >> chmod 0770 /srv/samba/Demo/ >> >> Now try to set the permissions from windows. >> >> If this works and I am sure it will, I will update the wiki page. >> >> Rowland > > Thanks Rowland I was wondering about this not being in the guide but > thought best to follow it word for word. I have made the changes > suggested: > > root at aphrodite:~# getfacl /srv/samba/data/Testing > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/data/Testing > # owner: root > # group: root > user::rwx > group::r-x > other::r-x > > root at aphrodite:~# chown root:Domain\ Admins /srv/samba/data/Testing/ > root at aphrodite:~# chmod 0770 /srv/samba/data/Testing/ > > root at aphrodite:~# getfacl /srv/samba/data/Testing > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/data/Testing > # owner: root > # group: domain\040admins > user::rwx > group::rwx > other::--- > > After this I was able to access the security tab and add "Domain > Admins" as per the guide without any errors however after that I am > locked out again. Looking at the unix permissions I see they have now > changed to the following and now I can't remove "Domain Admins" to get > it back to where I was before. > > root at aphrodite:~# getfacl /srv/samba/data/Testing > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/data/Testing > # owner: root > # group: domain\040admins > user::rwx > user:root:rwx > group::--- > group:domain\040admins:--- > mask::rwx > other::---OK, have now reset the ACLs back to where they were: https://serverfault.com/questions/285597/setfacl-to-reset-file-to-default-permissions root at aphrodite:~# getfacl -d /srv/samba/data/Testing getfacl: Removing leading '/' from absolute path names # file: srv/samba/data/Testing # owner: root # group: domain\040admins However in Windows I am still unable to edit the "Security" permissions tab. "You do not have permission to view or edit this object's permission settings" I am really at a loss here as I am unable to get a Samba share working with Windows ACLs. Surely it cannot be this complex so what am I missing. All I want is a Samba share that I can control the permissions using Windows...
On Sun, 23 Apr 2017 20:53:39 +1000 Henry via samba <samba at lists.samba.org> wrote:> root at aphrodite:~# getfacl -d /srv/samba/data/Testing > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/data/Testing > # owner: root > # group: domain\040admins > > However in Windows I am still unable to edit the "Security" > permissions tab. > "You do not have permission to view or edit this object's permission > settings" > > I am really at a loss here as I am unable to get a Samba share > working with Windows ACLs. Surely it cannot be this complex so what > am I missing. All I want is a Samba share that I can control the > permissions using Windows... >OK, sorry to be so long, but it turned out that I had a problem myself and I had to fix it (amongst other things) Right, if I run this: ls -lad /srv/samba/Demo/ I get this: drwxrwx---+ 3 root unix admins 4096 Apr 11 11:49 /srv/samba/Demo/ Note: I use 'Unix Admins' instead of 'Domain Admins', but it amounts to the same thing. getfacl gives this: getfacl /srv/samba/Demo/ getfacl: Removing leading '/' from absolute path names # file: srv/samba/Demo/ # owner: root # group: unix\040admins user::rwx user:root:rwx group::rwx group:domain\040users:rwx group:unix\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:domain\040users:rwx default:group:unix\040admins:rwx default:mask::rwx default:other::--- and on windows: Share permissions: Everyone Full control unix admins Full control domain users Full control Security: root Full control unix admins Full control domain users Modify, Read & execute, List folder contents, Read, Write One thing it doesn't say on the wiki page, when you grant the SeDiskOperatorPrivilege, you have to do it on the machine that holds the share. So, make sure that Domain Admins, on the machine that holds the share, has the SeDiskOperatorPrivilege. set the Unix permissions as I suggested and then try again from 'Computer Management' on a domain joined windows machine. Make sure that you log in as a user that is a member of Domain Admins. can you also test that the underlying OS knows Domain Admins with: getent group Domain\ Admins If you do not get any output, then this is part of your problem. Rowland