Samba-4.3.5, Debian smb.conf ==[global] workgroup = WG security = ADS realm = WG.LOCAL dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h idmap config * : backend = tdb idmap config * : range = 2000-10000 idmap config * : backend = rid idmap config * : range = 300000-400000 # idmap config WG : backend = ad # idmap config WG : range = 300000-400000 # idmap config WG : schema_mode = rfc2307 winbind use default domain = yes winbind nss info = rfc2307 winbind refresh tickets = yes # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally unix extensions = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes max log size = 1000 log level = 5 vfs:1 syslog = 5 load printers = no printing = bsd show add printer wizard = no disable spoolss = yes printcap name = /dev/null #======================= Share Definitions ====================== [n] comment = File share path = /mnt/n read only = no valid users = @"Domain Users" @"Domain Admins" @all admin users = admin @it # inherit acls = yes force create mode = 0777 directory mask = 0770 hide unreadable = yes == getfacl /mnt/n/01 ==# file: 01 # owner: admin # group: g01 user::rwx user:u01:rwx group::rwx group:admin:rwx group:g01:rwx mask::rwx other::--- default:user::rwx default:user:admin:rwx #effective:--- default:user:u01:rwx #effective:--- default:group::--- default:group:g01:rwx #effective:--- default:mask::--- default:other::--- == In need folders have to be seen (and accessed) only by appropriate domain groups. For example, there are domain groups g01, g02, g03, etc, users in these groups have to see only "their" folders: u01 - \\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03 This is done by "Hide unreadable = yes" in smb.conf, by granting access (using "Security" tab in windows' folder rights) for concrete group to concrete directory and then chmod'ing this folder to 0770. But, if then I again modify ACLs through "Security" (for example - adding another group access to folder) samba sets 0777 to this folder and it becomes "visible" to all others. And I have again set 0770 on Samba server. This seems to work, but: - not good to windows admins, which only has to know about "Security" tab in folder rights; - mixing ACLs with unix rights makes a mess and seems not right way to solve task. What is the "right way" to do such task?
On Wed, 12 Apr 2017 11:26:15 +0300 Dmitry via samba <samba at lists.samba.org> wrote:> In need folders have to be seen (and accessed) only by appropriate > domain groups. For example, there are domain groups g01, g02, g03, > etc, users in these groups have to see only "their" folders: u01 - > \\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03 > This is done by "Hide unreadable = yes" in smb.conf, by granting > access (using "Security" tab in windows' folder rights) for concrete > group to concrete directory and then chmod'ing this folder to 0770. > But, if then I again modify ACLs through "Security" (for example - > adding another group access to folder) samba sets 0777 to this folder > and it becomes "visible" to all others. And I have again set 0770 on > Samba server. This seems to work, but: > - not good to windows admins, which only has to know about "Security" > tab in folder rights; > - mixing ACLs with unix rights makes a mess and seems not right way > to solve task. > > What is the "right way" to do such task? > > >You could investigate using 'access based share enum = yes' and setting the permissions from Windows, see here: wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs You will also need to remove these lines: valid users = @"Domain Users" @"Domain Admins" @all admin users = admin @it # inherit acls = yes force create mode = 0777 directory mask = 0770 hide unreadable = yes Rowland
On 12.04.2017 at 10:26, Dmitry wrotE:> granting access > (using "Security" tab in windows' folder rights) for concrete group to > concrete directory and then chmod'ing this folder to 0770.Mixing Linux and Windows access rights does not work: Changing any security bits or ACL in Linux causes the Windows ACL to be disabled. Use only one or the other.
Thank you, but this did nothing. Users from group 'g02' can access folder '01'. But this folder has ACL set up only for group 'g01'> You could investigate using 'access based share enum = yes' > > and setting the permissions from Windows, see here: > > wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > You will also need to remove these lines: > > valid users = @"Domain Users" @"Domain Admins" @all > admin users = admin @it > # inherit acls = yes > force create mode = 0777 > directory mask = 0770 > hide unreadable = yes > > Rowland
Hai, Mixing postix and windows acl works fine here. But for these shares you have to set : acl_xattr:ignore system acls = yes on the share, resulting in, windows ignores the underlaying posix rights, but my linux users do get the rights on the systems itselve. Its a bit fiddeling around until you get it, but it does work here. Now setting the other way around wont work, like posix rights on the share. ( your example ) Setup like as followed. Create the needed folder, set the needed posix rights on it. Mixing them together. Give "domain users" a gid. Set 2770 on the folder. Now follow the wiki link Rowland send. On the windows share security, the default is ok. Windows folder security of the share. And make sure you set "CREATOR GROUP" I use this on my www data folders. For example, system 1 generats the website. This is a system outside the windows domain and writes over nfsv3 to the webserver. The webserver does contain the wwwdata folder with a windows share. It shows like this : ( for the server that generates the sites. ( debian wheezy ) ls -al /home/remote/webserver/www -rwxr-xr-x+ 1 LINUX_USER_ON_SERVER1 LINUX_GROUP_ON_SERVER1 .. The acl on "www" # file: www/ # owner: root # group: root # flags: -s- user::rwx user:root:rwx group::r-x group:root:r-x group:2000:rwx mask::rwx other::r-x default:user::rwx default:user:root:rwx default:group::r-x default:group:root:r-x default:group::rwx default:mask::rwx default:other::r-x Now the webserver is a samba AD domain join server. ( debian jessie ) I needed nfsv4 and kerberos on that server. ls -al /var/www/somefolder/ drwxr-sr-x+ 49 1001 2018 4096 Apr 11 10:38 www # file: var/www/bazuin/www # owner: root # group: root # flags: -s- user::rwx user:root:rwx #effective:r-x group::r-x group:root:r-x group:2000:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:user:root:rwx default:group::rwx default:group:Win-AD-GROUP:rwx default:mask::rwx default:other::r-x i looks messy because of unresolved uid/gid's drwxrwsr-x+ 9 root Win-AD-GROUP 4096 Sep 6 2016 changes1 drwxr-xr-x+ 35 1001 2018 4096 Sep 22 2016 changes2 but it does work. Just test a bit before you go into production with it. Systems used here in this setup. Samba 3.6.x => writes over nfs v3. ( sco unix) Samba 4.1.17 => writes over nfs v3 ( debian wheezy) ( was debian squeeze. ) Samba 4.5.8 AD DC. Does not write ( debian jessie ) ( as of samba 4.1.x ) Samba 4.5.8 Webserver member AD. ( debian jessie ) writes from win pc. Share : [mysecret-www-folder$] browseable = yes path = /var/www read only = no acl_xattr:ignore system acl = yes Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dmitry via samba > Verzonden: woensdag 12 april 2017 14:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Dir ACL through windows and chmod > > Thank you, but this did nothing. Users from group 'g02' can access > folder '01'. But this folder has ACL set up only for group 'g01' > > > > You could investigate using 'access based share enum = yes' > > > > and setting the permissions from Windows, see here: > > > > wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > > You will also need to remove these lines: > > > > valid users = @"Domain Users" @"Domain Admins" @all > > admin users = admin @it > > # inherit acls = yes > > force create mode = 0777 > > directory mask = 0770 > > hide unreadable = yes > > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba