samba - Jan 2018 - Adding Share Windows ACL

On Fri, 26 Jan 2018 14:18:53 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Fri, 26 Jan 2018 14:10:40 +0100
> Micha Ballmann <ballmann at uni-landau.de> wrote:
> 
> > To set share windows permissions and windows acl i login on a
> > windows 7 computer with the administrator user.|Open ||Computer
> > Management and connect to the fileserver. when im trying now to set
> > acl i ve no permissions.|||||||
> > 
> 
> Well, I couldn't understand why it wasn't working, so I fired up a
VM
> running win7 and guess what, it doesn't work for me either, it did,
> but it doesn't now :-(
> 
> I will get back to you.
> 
> Rowland
> 
OK, I found out why it wasn't working, I was connecting to a share that
belonged to 'root:root' with 'drwxr-xr-x' permissions.

I created a new share:

[data]
     path = /home/testdata
     read only = no

mkdir /home/testdata

getfacl /home/testdata shows this:

getfacl: Removing leading '/' from absolute path names
# file: home/testdata
# owner: rowland
# group: domain\040users
user::rwx
user:root:rwx
group::---
group:root:---
group:2004:r-x
group:2005:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:2004:r-x
default:group:2005:rwx
default:mask::rwx
default:other::---

Change the ownership:

chown root:Unix\ Admins /home/testdata

Now go to the Win7 VM and add 'rowland' back as a user with 'Read
&
execute, List folder contents and Read' permissions. This worked
without error and getfacl now shows:

 getfacl: Removing leading '/' from absolute path names
# file: home/testdata
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
user:rowland:r-x
group::---
group:root:---
group:2004:r-x
group:2005:rwx
group:unix\040admins:---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:rowland:r-x
default:group::---
default:group:root:---
default:group:2004:r-x
default:group:2005:rwx
default:group:unix\040admins:---
default:mask::rwx
default:other::---

Do you have these lines in smb.conf:

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Are the 'acl' and 'attr' packages installed.

Rowland

Hello,

i also fired up a new vm :) and configured "rid" backend. I followed
all
step in 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.

Sett the Attributs in smb.conf:

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

Granting the SeDiskOperatorPrivilege:

# net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege
-U
(successful after trourbleshoting)

Adding Share (i just copy and paste the example):

# mkdir -p /srv/samba/Demo/
# chown root:"Domain Admins" /srv/samba/Demo/ --> NOW WORKING
BECAUSE I
SET UP RID BACKEND
# chmod 0770 /srv/samba/Demo/

smb.conf

[Demo]
        path = /srv/samba/Demo/
        read only = no

-> Login to Windows with administrator and connect to FILESERVER via 
"Computer Management" -> Chosing Demo Share and going to security
Tab ->

Regarads

Micha


Am 26.01.2018 um 16:31 schrieb Rowland Penny via samba:
> On Fri, 26 Jan 2018 14:18:53 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
>> On Fri, 26 Jan 2018 14:10:40 +0100
>> Micha Ballmann <ballmann at uni-landau.de> wrote:
>>
>>> To set share windows permissions and windows acl i login on a
>>> windows 7 computer with the administrator user.|Open ||Computer
>>> Management and connect to the fileserver. when im trying now to set
>>> acl i ve no permissions.|||||||
>>>
>> Well, I couldn't understand why it wasn't working, so I fired
up a VM
>> running win7 and guess what, it doesn't work for me either, it did,
>> but it doesn't now :-(
>>
>> I will get back to you.
>>
>> Rowland
>>
> OK, I found out why it wasn't working, I was connecting to a share that
> belonged to 'root:root' with 'drwxr-xr-x' permissions.
>
> I created a new share:
>
> [data]
>       path = /home/testdata
>       read only = no
>
> mkdir /home/testdata
>
> getfacl /home/testdata shows this:
>
> getfacl: Removing leading '/' from absolute path names
> # file: home/testdata
> # owner: rowland
> # group: domain\040users
> user::rwx
> user:root:rwx
> group::---
> group:root:---
> group:2004:r-x
> group:2005:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:root:---
> default:group:2004:r-x
> default:group:2005:rwx
> default:mask::rwx
> default:other::---
>
> Change the ownership:
>
> chown root:Unix\ Admins /home/testdata
>
> Now go to the Win7 VM and add 'rowland' back as a user with
'Read &
> execute, List folder contents and Read' permissions. This worked
> without error and getfacl now shows:
>
>   getfacl: Removing leading '/' from absolute path names
> # file: home/testdata
> # owner: root
> # group: unix\040admins
> user::rwx
> user:root:rwx
> user:rowland:r-x
> group::---
> group:root:---
> group:2004:r-x
> group:2005:rwx
> group:unix\040admins:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:rowland:r-x
> default:group::---
> default:group:root:---
> default:group:2004:r-x
> default:group:2005:rwx
> default:group:unix\040admins:---
> default:mask::rwx
> default:other::---
>
> Do you have these lines in smb.conf:
>
>      vfs objects = acl_xattr
>      map acl inherit = Yes
>      store dos attributes = Yes
>
> Are the 'acl' and 'attr' packages installed.
>
> Rowland
>

Im sorry last mail was not complete.

...
-> Login to Windows with administrator and connect to FILESERVER via 
"Computer Management" -> Chosing Demo Share and going to security
Tab ->

Cant set any ACL because, permission denied!

Am 27. Januar 2018 11:35:53 MEZ schrieb Micha Ballmann via samba <samba at
lists.samba.org>:
>Hello,
>
>i also fired up a new vm :) and configured "rid" backend. I
followed
>all 
>step in 
>https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
>
>Sett the Attributs in smb.conf:
>
>vfs objects = acl_xattr
>map acl inherit = yes
>store dos attributes = yes
>
>Granting the SeDiskOperatorPrivilege:
>
># net rpc rights grant "SAMDOM\Domain Admins"
SeDiskOperatorPrivilege
>-U 
>(successful after trourbleshoting)
>
>Adding Share (i just copy and paste the example):
>
># mkdir -p /srv/samba/Demo/
># chown root:"Domain Admins" /srv/samba/Demo/ --> NOW WORKING
BECAUSE I
>
>SET UP RID BACKEND
># chmod 0770 /srv/samba/Demo/
>
>smb.conf
>
>[Demo]
>        path = /srv/samba/Demo/
>        read only = no
>
>-> Login to Windows with administrator and connect to FILESERVER via 
>"Computer Management" -> Chosing Demo Share and going to
security Tab
>->
>
>Regarads
>
>Micha
>
>
>Am 26.01.2018 um 16:31 schrieb Rowland Penny via samba:
>> On Fri, 26 Jan 2018 14:18:53 +0000
>> Rowland Penny via samba <samba at lists.samba.org> wrote:
>>
>>> On Fri, 26 Jan 2018 14:10:40 +0100
>>> Micha Ballmann <ballmann at uni-landau.de> wrote:
>>>
>>>> To set share windows permissions and windows acl i login on a
>>>> windows 7 computer with the administrator user.|Open ||Computer
>>>> Management and connect to the fileserver. when im trying now to
set
>>>> acl i ve no permissions.|||||||
>>>>
>>> Well, I couldn't understand why it wasn't working, so I
fired up a
>VM
>>> running win7 and guess what, it doesn't work for me either, it
did,
>>> but it doesn't now :-(
>>>
>>> I will get back to you.
>>>
>>> Rowland
>>>
>> OK, I found out why it wasn't working, I was connecting to a share
>that
>> belonged to 'root:root' with 'drwxr-xr-x' permissions.
>>
>> I created a new share:
>>
>> [data]
>>       path = /home/testdata
>>       read only = no
>>
>> mkdir /home/testdata
>>
>> getfacl /home/testdata shows this:
>>
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/testdata
>> # owner: rowland
>> # group: domain\040users
>> user::rwx
>> user:root:rwx
>> group::---
>> group:root:---
>> group:2004:r-x
>> group:2005:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::---
>> default:group:root:---
>> default:group:2004:r-x
>> default:group:2005:rwx
>> default:mask::rwx
>> default:other::---
>>
>> Change the ownership:
>>
>> chown root:Unix\ Admins /home/testdata
>>
>> Now go to the Win7 VM and add 'rowland' back as a user with
'Read &
>> execute, List folder contents and Read' permissions. This worked
>> without error and getfacl now shows:
>>
>>   getfacl: Removing leading '/' from absolute path names
>> # file: home/testdata
>> # owner: root
>> # group: unix\040admins
>> user::rwx
>> user:root:rwx
>> user:rowland:r-x
>> group::---
>> group:root:---
>> group:2004:r-x
>> group:2005:rwx
>> group:unix\040admins:---
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:rowland:r-x
>> default:group::---
>> default:group:root:---
>> default:group:2004:r-x
>> default:group:2005:rwx
>> default:group:unix\040admins:---
>> default:mask::rwx
>> default:other::---
>>
>> Do you have these lines in smb.conf:
>>
>>      vfs objects = acl_xattr
>>      map acl inherit = Yes
>>      store dos attributes = Yes
>>
>> Are the 'acl' and 'attr' packages installed.
>>
>> Rowland
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.