I believe I have found either a bug or something I do not understand. I recently had a file-share issue and the resolution was to set the "others" permissions to 5, read and execute. The problem with this is that once I am in Windows on a workstation, this appears to allow "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally setup our shares with the domain admins group having full access and a global security group for the share having full access. When I remove those three aforementioned groups in the Windows ACL UI, it removes the permissions from the share. This means nobody can access it now. So my question is this: How do I properly configure a share that will only allow the domain admins and a second global security group access? I do not want just anybody to gain access to these shares. Some shares are for finance and if a normal user could gain access, it would allow them to see pay-rates and such for every employee, which is not a good thing. Along with that question, I am still having share issues with the one network printer in the organization and I believe it is related. Below is all pertinent information that I can think of. The user and group ID's are from AD (uidNumber/gidNumber) and match on both member servers. root at ps01:~# cat /etc/samba/smb.conf [global] netbios name = PS01 workgroup = TRUEVINE security = ADS realm = TRUEVINE.LAN encrypt passwords = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config TRUEVINE:backend = ad idmap config TRUEVINE:schema_mode = rfc2307 idmap config TRUEVINE:range = 10000-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes domain master = no local master = no preferred master = no vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes auth methods = winbind rpc_server:spoolss = external rpc_daemon:spoolssd = fork spoolss: architecture = Windows x64 [printers] path = /var/spool/samba printable = yes printing = CUPS use client driver = yes guest ok = no printable = yes [print$] path = /srv/samba/printer_drivers comment = Printer drivers writeable = yes [Xerox7545] path = /var/spool/samba browseable = yes printable = yes printer name = Xerox_WC_7545 The guide for sharing printers was followed (not a cached copy this time) including the things like modifying permissions to 2755 on /srv/samba and everything below it. Now /srv is owned by root and the root group, as is /srv/samba, but they both have 755 for permissions. No ACLs exist at that level. root at ps01:~# getfacl /srv/samba/printer_drivers/ getfacl: Removing leading '/' from absolute path names # file: srv/samba/printer_drivers/ # owner: reachfp # group: domain\040admins # flags: ss- user::rwx user:reachfp:rwx group::rwx group:domain\040admins:rwx group:domain\040users:r-x group:domain\040computers:r-x mask::rwx other::--- default:user::rwx default:user:reachfp:rwx default:group::--- default:group:domain\040admins:rwx default:group:domain\040users:r-x default:group:domain\040computers:r-x default:mask::rwx default:other::--- I even set the driver file permissions (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett recommended but I still get "Access is denied" in my logs when the workstations boot and attempt to map the machine. I am not running iptables or SELinux on this system. I do have a Kerberos keytab as advised by Rowland in my previous thread. So, have I screwed up or is this an issue? I imagine I am missing something and it may be the "Everyone" issue in my first few paragraphs, but I am not sure.
Wel, im thinking, you can setup as following. in this order.. 1) /srv/samba/printer_drivers ( something like ) chmod 2775 /srv chmod 2775 /srv/samba chmod 2775 /srv/samba/printer_drivers 2) setup the share from windows pc. add the 2 groups to the share with full access. ( share tab ) domain admins and a second global security. 3) set the security rights from witin windows on the shared folder. ( security tab) domain admins and a second global security>.This means nobody can access it now.set "authenticated users to have read access on the share" if needed, the security rights will stop any folder access and leave alone. : "CREATOR OWNER", and "CREATOR GROUP" Louis>-----Oorspronkelijk bericht----- >Van: ryana at reachtechfp.com >[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley >Verzonden: maandag 18 augustus 2014 16:31 >Aan: samba at lists.samba.org >Onderwerp: [Samba] Shares requiring "Everyone" access... > >I believe I have found either a bug or something I do not >understand. I >recently had a file-share issue and the resolution was to set the >"others" permissions to 5, read and execute. The problem with this is >that once I am in Windows on a workstation, this appears to allow >"Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally >setup our shares with the domain admins group having full access and a >global security group for the share having full access. When I remove >those three aforementioned groups in the Windows ACL UI, it >removes the >permissions from the share. This means nobody can access it now. > >So my question is this: How do I properly configure a share that will >only allow the domain admins and a second global security >group access? >I do not want just anybody to gain access to these shares. Some shares >are for finance and if a normal user could gain access, it would allow >them to see pay-rates and such for every employee, which is not a good >thing. > >Along with that question, I am still having share issues with the one >network printer in the organization and I believe it is related. Below >is all pertinent information that I can think of. The user and group >ID's are from AD (uidNumber/gidNumber) and match on both >member servers. > >root at ps01:~# cat /etc/samba/smb.conf >[global] > netbios name = PS01 > workgroup = TRUEVINE > security = ADS > realm = TRUEVINE.LAN > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config TRUEVINE:backend = ad > idmap config TRUEVINE:schema_mode = rfc2307 > idmap config TRUEVINE:range = 10000-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > > domain master = no > local master = no > preferred master = no > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > auth methods = winbind > rpc_server:spoolss = external > rpc_daemon:spoolssd = fork > spoolss: architecture = Windows x64 > >[printers] > path = /var/spool/samba > printable = yes > printing = CUPS > use client driver = yes > guest ok = no > printable = yes > >[print$] > path = /srv/samba/printer_drivers > comment = Printer drivers > writeable = yes > >[Xerox7545] > path = /var/spool/samba > browseable = yes > printable = yes > printer name = Xerox_WC_7545 > >The guide for sharing printers was followed (not a cached copy this >time) including the things like modifying permissions to 2755 on >/srv/samba and everything below it. Now /srv is owned by root and the >root group, as is /srv/samba, but they both have 755 for >permissions. No >ACLs exist at that level. > >root at ps01:~# getfacl /srv/samba/printer_drivers/ >getfacl: Removing leading '/' from absolute path names ># file: srv/samba/printer_drivers/ ># owner: reachfp ># group: domain\040admins ># flags: ss- >user::rwx >user:reachfp:rwx >group::rwx >group:domain\040admins:rwx >group:domain\040users:r-x >group:domain\040computers:r-x >mask::rwx >other::--- >default:user::rwx >default:user:reachfp:rwx >default:group::--- >default:group:domain\040admins:rwx >default:group:domain\040users:r-x >default:group:domain\040computers:r-x >default:mask::rwx >default:other::--- > >I even set the driver file permissions >(/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett >recommended but I still get "Access is denied" in my logs when the >workstations boot and attempt to map the machine. I am not running >iptables or SELinux on this system. I do have a Kerberos keytab as >advised by Rowland in my previous thread. > >So, have I screwed up or is this an issue? I imagine I am missing >something and it may be the "Everyone" issue in my first few >paragraphs, >but I am not sure. >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Sorry, I scrolled to high in my buffer and pasted the wrong ACL list for the share. The correct one is below. root at ps01:~# getfacl /srv/samba/printer_drivers/ getfacl: Removing leading '/' from absolute path names # file: srv/samba/printer_drivers/ # owner: reachfp # group: domain\040admins # flags: ss- user::rwx user:reachfp:rwx group::rwx group:domain\040admins:rwx group:domain\040users:r-x group:domain\040computers:r-x mask::rwx other::r-x default:user::rwx default:user:reachfp:rwx default:group::r-x default:group:domain\040admins:rwx default:group:domain\040users:r-x default:group:domain\040computers:r-x default:mask::rwx default:other::r-x I did remove "CREATOR OWNER" and "CREATOR GROUP", but I left "Everyone" with read and execute, but I still get "Access is denied". On 08/18/2014 10:31 AM, Ryan Ashley wrote:> I believe I have found either a bug or something I do not understand. > I recently had a file-share issue and the resolution was to set the > "others" permissions to 5, read and execute. The problem with this is > that once I am in Windows on a workstation, this appears to allow > "Everyone", "CREATOR OWNER", and "CREATOR GROUP" access. We normally > setup our shares with the domain admins group having full access and a > global security group for the share having full access. When I remove > those three aforementioned groups in the Windows ACL UI, it removes > the permissions from the share. This means nobody can access it now. > > So my question is this: How do I properly configure a share that will > only allow the domain admins and a second global security group > access? I do not want just anybody to gain access to these shares. > Some shares are for finance and if a normal user could gain access, it > would allow them to see pay-rates and such for every employee, which > is not a good thing. > > Along with that question, I am still having share issues with the one > network printer in the organization and I believe it is related. Below > is all pertinent information that I can think of. The user and group > ID's are from AD (uidNumber/gidNumber) and match on both member servers. > > root at ps01:~# cat /etc/samba/smb.conf > [global] > netbios name = PS01 > workgroup = TRUEVINE > security = ADS > realm = TRUEVINE.LAN > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config TRUEVINE:backend = ad > idmap config TRUEVINE:schema_mode = rfc2307 > idmap config TRUEVINE:range = 10000-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > > domain master = no > local master = no > preferred master = no > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > auth methods = winbind > rpc_server:spoolss = external > rpc_daemon:spoolssd = fork > spoolss: architecture = Windows x64 > > [printers] > path = /var/spool/samba > printable = yes > printing = CUPS > use client driver = yes > guest ok = no > printable = yes > > [print$] > path = /srv/samba/printer_drivers > comment = Printer drivers > writeable = yes > > [Xerox7545] > path = /var/spool/samba > browseable = yes > printable = yes > printer name = Xerox_WC_7545 > > The guide for sharing printers was followed (not a cached copy this > time) including the things like modifying permissions to 2755 on > /srv/samba and everything below it. Now /srv is owned by root and the > root group, as is /srv/samba, but they both have 755 for permissions. > No ACLs exist at that level. > > root at ps01:~# getfacl /srv/samba/printer_drivers/ > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/printer_drivers/ > # owner: reachfp > # group: domain\040admins > # flags: ss- > user::rwx > user:reachfp:rwx > group::rwx > group:domain\040admins:rwx > group:domain\040users:r-x > group:domain\040computers:r-x > mask::rwx > other::--- > default:user::rwx > default:user:reachfp:rwx > default:group::--- > default:group:domain\040admins:rwx > default:group:domain\040users:r-x > default:group:domain\040computers:r-x > default:mask::rwx > default:other::--- > > I even set the driver file permissions > (/srv/samba/printer_drivers/x64/3/*) to 755 as Andrew Bartlett > recommended but I still get "Access is denied" in my logs when the > workstations boot and attempt to map the machine. I am not running > iptables or SELinux on this system. I do have a Kerberos keytab as > advised by Rowland in my previous thread. > > So, have I screwed up or is this an issue? I imagine I am missing > something and it may be the "Everyone" issue in my first few > paragraphs, but I am not sure.