Marc Muehlfeld
2013-Oct-13 20:31 UTC
[Samba] File share permissions act different on member server than on DC
Hello, a while ago I wrote the wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo. When I wrote the HowTo, I setup and configured the share on a DC - what still works like described. Today I tried the first time to do exactly the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work there. The share in smb.conf: [demo] path = /srv/samba/Demo read only = no The folder in the filesystem (XFS): drwxr-xr-x 2 root root 6 13. Okt 22:16 /srv/samba/Demo I connect to the share as Domain Admin, right-click to it and go to the "security" tab. Here I see now "everyone" and two "root" entries. - I click the "edit" button and remove the two "root" entries. When I click "apply", everything is reset (the two entries went back". - If i grant "modify" to "everyone" - where all "allow" entries are empty per default and click "apply", then all boxes are checked automatically (full access) and "CREATOR OWNER" and "CREATOR GROUP" appear. And this two can't be removed as well any more. If I do exactly the same on a DC, then already the security tab shows on the first time I open it very different settings. The wiki screenshot shows them: wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But the folder on Linux side is also just 755 (and without any extended ACLs when I begin). Also whatever I change (like remove "root" from the ACLs) everything is done like expected and saved. The member server is also self compiled. I installed all packages on my RHEL6 that I have installed on the DC too. Any idea what could be different on a 4.x member than on a DC? Or did I find a bug? Regards Marc
steve
2013-Oct-14 06:43 UTC
[Samba] File share permissions act different on member server than on DC
On Sun, 2013-10-13 at 22:31 +0200, Marc Muehlfeld wrote:> Hello, > > a while ago I wrote the > wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo. > > When I wrote the HowTo, I setup and configured the share on a DC - what > still works like described. Today I tried the first time to do exactly > the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work there. > > The share in smb.conf: > [demo] > path = /srv/samba/Demo > read only = no > > The folder in the filesystem (XFS): > drwxr-xr-x 2 root root 6 13. Okt 22:16 /srv/samba/Demo > > I connect to the share as Domain Admin, right-click to it and go to the > "security" tab. Here I see now "everyone" and two "root" entries. > - I click the "edit" button and remove the two "root" entries. When I > click "apply", everything is reset (the two entries went back". > - If i grant "modify" to "everyone" - where all "allow" entries are > empty per default and click "apply", then all boxes are checked > automatically (full access) and "CREATOR OWNER" and "CREATOR GROUP" > appear. And this two can't be removed as well any more. > > > If I do exactly the same on a DC, then already the security tab shows on > the first time I open it very different settings. The wiki screenshot > shows them: > wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But > the folder on Linux side is also just 755 (and without any extended ACLs > when I begin). Also whatever I change (like remove "root" from the ACLs) > everything is done like expected and saved. > > > The member server is also self compiled. I installed all packages on my > RHEL6 that I have installed on the DC too. > > > Any idea what could be different on a 4.x member than on a DC? Or did I > find a bug? > > > Regards > MarcHi It looks like that on the DC, Administrator already has admin permissions on the share (like root in Linux) but on a file server he doesn't. You have to specify Administrator as an admin user or give him full posix rights on the share using setfacl. Summary.mAdministrator behaves as: DC: like root on a Linux box File server: a normal unprivileged domain user I think the file server is correct. Windows doesn't have a user like root. HTH Steve
Keith McCormick
2013-Oct-15 01:29 UTC
[Samba] File share permissions act different on member server than on DC
Hi, To enable my member server's ACLs to work just like the DC, as far as Windows is concerned, I needed to add the following parameters to the global section of smb.conf file on the member server: vfs objects = acl_xattr map acl inherit = yes store dos attributes = Yes These parameters are apparently added in the background by default for the smbd processes that are spawned by samba. Until I added those items, just like you I could never get the ACLs to stick and work correctly. Many of them were incorrectly labeled, also, even though the number was correct and the same as on the DC. Something to note: I believe the vfs object parameter does require that xattrs work on the file system that you use. Cheers, KeithM On Sun, 2013-10-13 at 22:31 +0200, Marc Muehlfeld wrote: > Hello, > > a while ago I wrote the > wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo. > > When I wrote the HowTo, I setup and configured the share on a DC - what > still works like described. Today I tried the first time to do exactly > the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work there. > > The share in smb.conf: > [demo] > path = /srv/samba/Demo > read only = no > > The folder in the filesystem (XFS): > drwxr-xr-x 2 root root 6 13. Okt 22:16 /srv/samba/Demo > > I connect to the share as Domain Admin, right-click to it and go to the > "security" tab. Here I see now "everyone" and two "root" entries. > - I click the "edit" button and remove the two "root" entries. When I > click "apply", everything is reset (the two entries went back". > - If i grant "modify" to "everyone" - where all "allow" entries are > empty per default and click "apply", then all boxes are checked > automatically (full access) and "CREATOR OWNER" and "CREATOR GROUP" > appear. And this two can't be removed as well any more. > > > If I do exactly the same on a DC, then already the security tab shows on > the first time I open it very different settings. The wiki screenshot > shows them: > wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But > the folder on Linux side is also just 755 (and without any extended ACLs > when I begin). Also whatever I change (like remove "root" from the ACLs) > everything is done like expected and saved. > > > The member server is also self compiled. I installed all packages on my > RHEL6 that I have installed on the DC too. > > > Any idea what could be different on a 4.x member than on a DC? Or did I > find a bug? > > > Regards > Marc
Seemingly Similar Threads
- member domain idmap config ad/rid
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- online service to host/share theora&vorbis encoded ogg files
- How to copy roaming profiles to new server ? ("Group policy client service failed. The logon access is denied")
- Restrict access to users home drives