thr3ads.net - samba - [Samba] windows acls [Dec 2022]

If this information is useful, please help other people find it:
Share via:

Peter Carlson

2022-Dec-13 19:00 UTC

[Samba] windows acls

On 12/13/22 10:45, Rowland Penny via samba wrote:> Is 'S-1-5-21-185628584-2620904409-2800336372' the domain SID ?
> Who or what is the RID 1105 ?
Not sure, how Can I determine that?

>
>>
>> 2) If inheritance is disabled, why do the folders in the share show 
>> inherited from P:\ ?
>>
>> 3) I am a member of Domain Users and Domain Admins.? I can see files 
>> in P:\ but I cant overwrite them or delete them.? It seems to be 
>> using the permissions of Domain Admins R+X and not Domain Users Full 
>> Control.? yes I know the permissions seem backwards, which is another 
>> issue, however shouldn't it allow me write access since I am also a
>> member of Domain Users ?
>>
>> Thanks! Peter
>>
>
> Can you post the output of the following commands run on the machine 
> that holds the share:
>
> ls -lad /path/to/share/directory
Did the share point as well as one sub directory:


root at filesvr:~# ls -lad /data/FacilityPictures/
drwxrwxrwt+ 5 root root 4096 Dec? 1 15:22 /data/FacilityPictures/

root at filesvr:~# ls -lad /data/FacilityPictures/*
drwxrwxr-x+ 2316 SDCP\peter?? SDCP\domain admins?? 110592 Nov? 4 11:19? 
/data/FacilityPictures/Completed
drwxrwxr-x+??? 6 SDCP\ijenson SDCP\domain users????? 4096 Dec 13 10:42 
'/data/FacilityPictures/Encode Videos'
drwxrwxr-x+??? 4 SDCP\peter?? SDCP\domain admins???? 4096 Sep 30 10:46 
'/data/FacilityPictures/Stock Images'
-rwxrwxr-x+??? 1 SDCP\peter?? SDCP\domain admins 31156113 Aug 15 13:29? 
/data/FacilityPictures/test_video.mp4
>
> getfacl /path/to/share/directoryroot at filesvr:~# getfacl /data/FacilityPictures/
getfacl: Removing leading '/' from absolute path names
# file: data/FacilityPictures/
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
user:SDCP\\domain\040users:rwx
group::rwx
group:root:rwx
group:SDCP\\domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:SDCP\\domain\040users:rwx
default:group::r-x
default:group:root:r-x
default:group:SDCP\\domain\040users:rwx
default:mask::rwx
default:other::r-x

root at filesvr:~# getfacl /data/FacilityPictures/Completed
getfacl: Removing leading '/' from absolute path names
# file: data/FacilityPictures/Completed
# owner: SDCP\\peter
# group: SDCP\\domain\040admins
user::rwx
user:SDCP\\domain\040admins:r-x
user:SDCP\\domain\040users:rwx
group::r-x
group:SDCP\\domain\040admins:r-x
group:SDCP\\domain\040users:rwx
group:2001105:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:SDCP\\domain\040users:rwx
default:user:SDCP\\peter:rwx
default:group::r-x
default:group:SDCP\\domain\040admins:r-x
default:group:SDCP\\domain\040users:rwx
default:mask::rwx
default:other::r-x
>
> samba-tool ntacl get /path/to/share/directory --as-sddlroot at filesvr:~# samba-tool ntacl get? /data/FacilityPictures/ --as-sddl
O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;DU)

root at filesvr:~# samba-tool ntacl get /data/FacilityPictures/Completed 
--as-sddl
O:S-1-5-21-185628584-2620904409-2800336372-1105G:DAD:AI(A;ID;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-1105)(A;OICIIOID;0x001f01ff;;;CO)(A;ID;0x001200a9;;;DA)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001200a9;;;WD)(A;OICIID;0x001f01ff;;;DU)

>
> Can you also post the smb.conf from the same machine.
Sanitized (and yes I know I shouldn't use .local, dont have the 
permission yet to change that historical mess)

root at filesvr:~# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d

server role = member server
template homedir = /home/%U@%D
template shell = /bin/bash

usershare allow guests = yes
kerberos method = secrets and keytab

security = ads
idmap config SDCP : range = 2000000-2999999
idmap config SDCP : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind refresh tickets = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = yes
realm = SA***NT.LOCAL
workgroup = SDCP
winbind use default domain = no
winbind enum groups = no
winbind enum users = no

#======================= Share Definitions
======================[FacilityPictures]
 ??? path = /data/FacilityPictures
 ??? comment = Facility Pictures
 ??? writable = yes
>
> Rowland
>

Rowland Penny

2022-Dec-13 19:27 UTC

head link

[Samba] windows acls

On 13/12/2022 19:00, Peter Carlson via samba wrote:> 
> On 12/13/22 10:45, Rowland Penny via samba wrote:
>> Is 'S-1-5-21-185628584-2620904409-2800336372' the domain SID ?
>> Who or what is the RID 1105 ?
> 
> Not sure, how Can I determine that?
wbinfo --sid-to-name=S-1-5-21-185628584-2620904409-2800336372-1105
> 
> 
>>
>>>
>>> 2) If inheritance is disabled, why do the folders in the share show
>>> inherited from P:\ ?
> root at filesvr:~# samba-tool ntacl get? /data/FacilityPictures/ --as-sddl
>
O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;DU)
If you break that down, you get this:

O:S-1-22-1-0 # owner 'root
G:S-1-22-2-0 # group 'root'

D:PAI
'P' = The SE_DACL_PROTECTED flag is set.
'AI' = The SE_DACL_AUTO_INHERITED flag is set.

(A;;0x001f01ff;;;S-1-22-1-0)
(A;;0x001f01ff;;;S-1-22-2-0)
(A;;0x001f01ff;;;WD)
(A;OICIIO;0x001f01ff;;;CO)
(A;OICIIO;0x001200a9;;;CG)
(A;OICIIO;0x001200a9;;;WD)
(A;OICI;0x001f01ff;;;DU)

'A' = allow
'0x001f01ff' full control
'OI' = OBJECT_INHERIT_ACE
'CI' = CONTAINER_INHERIT_ACE
'IO' = INHERIT_ONLY_ACE

'WD' = Everyone
'CO' = Creator owner
'CG' = Creator group
'DU' = Domain Users

I hope this helps you understand.

Rowland

samba - Dec 2022 - windows acls

[Samba] windows acls

[Samba] windows acls