samba - Mar 2023 - windows acls

On 28/03/2023 15:08, Peter Carlson via samba wrote:
> 
> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>
>>
>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>> I am having troubles with windows ACLs.? I have been following the 
>>> wiki 
>>>
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) and
must have messed something up.
>>> I can't set the permissions on the root of the share.? error: 
>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>
>>> I set the SeDiskOperatorPrivilege, created the folder with 
>>> permissions as stated in the wiki, and set smb.conf as described. 
>>> What might I be missing?
>>>
>>> root at filesvr:~# net rpc rights list privileges 
>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>> Password for [SDCP\peter]:
>>> SeDiskOperatorPrivilege:
>>> ?? SDCP\Domain Admins
>>> ?? BUILTIN\Administrators
>>>
>>> root at filesvr:~# ls -l /data
>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45 test
>>
>> What are the permissions set on /data ?
>>
>> What does 'getfacl /data/test' produce ?
>>
>> Rowland
>>
> root at filesvr:~# ls -l /
> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data
> 
> root at filesvr:~# getfacl /data/test
> getfacl: Removing leading '/' from absolute path names
> # file: data/test
> # owner: root
> # group: SDCP\\domain\040admins
> user::rwx
> user:root:rwx
> user:SDCP\\domain\040admins:rwx
> user:SDCP\\domain\040users:rwx
> group::rwx
> group:SDCP\\domain\040admins:rwx
> group:SDCP\\domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:SDCP\\domain\040users:rwx
> default:group::r-x
> default:group:SDCP\\domain\040admins:r-x
> default:group:SDCP\\domain\040users:rwx
> default:mask::rwx
> default:other::r-x
OK, your user should be able to get to the 'data' directory via
'others'

drwxr-xr-x  16 root root       4096 Dec 20 13:01 data

Where, because the permissions are these:

drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test

His membership of Domain Admins should allow entry into 'test'

However, you also wrote this 'On a different server showing my 
membership', what do you get if you run 'groups' on
'filesvr' ?

Rowland

On 3/28/23 07:36, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 15:08, Peter Carlson via samba wrote:
>>
>> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>>
>>>
>>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>>> I am having troubles with windows ACLs.? I have been following
the
>>>> wiki 
>>>>
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
>>>> and must have messed something up.
>>>> I can't set the permissions on the root of the share.
error:
>>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>>
>>>> I set the SeDiskOperatorPrivilege, created the folder with 
>>>> permissions as stated in the wiki, and set smb.conf as
described.
>>>> What might I be missing?
>>>>
>>>> root at filesvr:~# net rpc rights list privileges 
>>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>>> Password for [SDCP\peter]:
>>>> SeDiskOperatorPrivilege:
>>>> ?? SDCP\Domain Admins
>>>> ?? BUILTIN\Administrators
>>>>
>>>> root at filesvr:~# ls -l /data
>>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45
test
>>>
>>> What are the permissions set on /data ?
>>>
>>> What does 'getfacl /data/test' produce ?
>>>
>>> Rowland
>>>
>> root at filesvr:~# ls -l /
>> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data
>>
>> root at filesvr:~# getfacl /data/test
>> getfacl: Removing leading '/' from absolute path names
>> # file: data/test
>> # owner: root
>> # group: SDCP\\domain\040admins
>> user::rwx
>> user:root:rwx
>> user:SDCP\\domain\040admins:rwx
>> user:SDCP\\domain\040users:rwx
>> group::rwx
>> group:SDCP\\domain\040admins:rwx
>> group:SDCP\\domain\040users:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:SDCP\\domain\040users:rwx
>> default:group::r-x
>> default:group:SDCP\\domain\040admins:r-x
>> default:group:SDCP\\domain\040users:rwx
>> default:mask::rwx
>> default:other::r-x
>
> OK, your user should be able to get to the 'data' directory via
'others'
>
> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data
>
> Where, because the permissions are these:
>
> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45 test
>
> His membership of Domain Admins should allow entry into 'test'
>
> However, you also wrote this 'On a different server showing my 
> membership', what do you get if you run 'groups' on
'filesvr' ?
>
> Rowland
>
>
ok, on the filsvr I can get to things as me:
SDCP\peter at filesvr:~$ groups
SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain 
users SDCP\denied rodc password replication group SDCP\dbusers 
SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users
SDCP\peter at filesvr:~$ cd /data/test
SDCP\peter at filesvr:/data/test$ ls
officefld? peter-ad.txt? peter.txt? root.txt? test? Windows.txt
SDCP\peter at filesvr:/data/test$ cat peter.txt

test from peter

however on windows, I get acces denied both when trying to set 
permissions via computer management on the root of the share as well as 
when trying to access the share via file explorer