Samba-4.3.5, Debian
smb.conf
==[global]
workgroup = WG
security = ADS
realm = WG.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
idmap config * : backend = tdb
idmap config * : range = 2000-10000
idmap config * : backend = rid
idmap config * : range = 300000-400000
# idmap config WG : backend = ad
# idmap config WG : range = 300000-400000
# idmap config WG : schema_mode = rfc2307
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
max log size = 1000
log level = 5 vfs:1
syslog = 5
load printers = no
printing = bsd
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null
#======================= Share Definitions ======================
[n]
comment = File share
path = /mnt/n
read only = no
valid users = @"Domain Users" @"Domain Admins" @all
admin users = admin @it
# inherit acls = yes
force create mode = 0777
directory mask = 0770
hide unreadable = yes
==
getfacl /mnt/n/01
==# file: 01
# owner: admin
# group: g01
user::rwx
user:u01:rwx
group::rwx
group:admin:rwx
group:g01:rwx
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx #effective:---
default:user:u01:rwx #effective:---
default:group::---
default:group:g01:rwx #effective:---
default:mask::---
default:other::---
==
In need folders have to be seen (and accessed) only by appropriate
domain groups. For example, there are domain groups g01, g02, g03, etc,
users in these groups have to see only "their" folders: u01 -
\\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03
This is done by "Hide unreadable = yes" in smb.conf, by granting
access
(using "Security" tab in windows' folder rights) for concrete
group to
concrete directory and then chmod'ing this folder to 0770. But, if then
I again modify ACLs through "Security" (for example - adding another
group access to folder) samba sets 0777 to this folder and it becomes
"visible" to all others. And I have again set 0770 on Samba server.
This seems to work, but:
- not good to windows admins, which only has to know about "Security"
tab in folder rights;
- mixing ACLs with unix rights makes a mess and seems not right way to
solve task.
What is the "right way" to do such task?
On Wed, 12 Apr 2017 11:26:15 +0300 Dmitry via samba <samba at lists.samba.org> wrote:> In need folders have to be seen (and accessed) only by appropriate > domain groups. For example, there are domain groups g01, g02, g03, > etc, users in these groups have to see only "their" folders: u01 - > \\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03 > This is done by "Hide unreadable = yes" in smb.conf, by granting > access (using "Security" tab in windows' folder rights) for concrete > group to concrete directory and then chmod'ing this folder to 0770. > But, if then I again modify ACLs through "Security" (for example - > adding another group access to folder) samba sets 0777 to this folder > and it becomes "visible" to all others. And I have again set 0770 on > Samba server. This seems to work, but: > - not good to windows admins, which only has to know about "Security" > tab in folder rights; > - mixing ACLs with unix rights makes a mess and seems not right way > to solve task. > > What is the "right way" to do such task? > > >You could investigate using 'access based share enum = yes' and setting the permissions from Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs You will also need to remove these lines: valid users = @"Domain Users" @"Domain Admins" @all admin users = admin @it # inherit acls = yes force create mode = 0777 directory mask = 0770 hide unreadable = yes Rowland
On 12.04.2017 at 10:26, Dmitry wrotE:> granting access > (using "Security" tab in windows' folder rights) for concrete group to > concrete directory and then chmod'ing this folder to 0770.Mixing Linux and Windows access rights does not work: Changing any security bits or ACL in Linux causes the Windows ACL to be disabled. Use only one or the other.
Thank you, but this did nothing. Users from group 'g02' can access folder '01'. But this folder has ACL set up only for group 'g01'> You could investigate using 'access based share enum = yes' > > and setting the permissions from Windows, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > You will also need to remove these lines: > > valid users = @"Domain Users" @"Domain Admins" @all > admin users = admin @it > # inherit acls = yes > force create mode = 0777 > directory mask = 0770 > hide unreadable = yes > > Rowland
Hai,
Mixing postix and windows acl works fine here.
But for these shares you have to set : acl_xattr:ignore system acls = yes
on the share, resulting in, windows ignores the underlaying posix rights, but my
linux users do get the rights on the systems itselve.
Its a bit fiddeling around until you get it, but it does work here.
Now setting the other way around wont work, like posix rights on the share. (
your example )
Setup like as followed.
Create the needed folder, set the needed posix rights on it.
Mixing them together. Give "domain users" a gid.
Set 2770 on the folder.
Now follow the wiki link Rowland send.
On the windows share security, the default is ok.
Windows folder security of the share.
And make sure you set "CREATOR GROUP"
I use this on my www data folders.
For example, system 1 generats the website. This is a system outside the windows
domain and writes over nfsv3 to the webserver.
The webserver does contain the wwwdata folder with a windows share.
It shows like this :
( for the server that generates the sites. ( debian wheezy )
ls -al /home/remote/webserver/www
-rwxr-xr-x+ 1 LINUX_USER_ON_SERVER1 LINUX_GROUP_ON_SERVER1 ..
The acl on "www"
# file: www/
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:2000:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group::rwx
default:mask::rwx
default:other::r-x
Now the webserver is a samba AD domain join server. ( debian jessie )
I needed nfsv4 and kerberos on that server.
ls -al /var/www/somefolder/
drwxr-sr-x+ 49 1001 2018 4096 Apr 11 10:38 www
# file: var/www/bazuin/www
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx #effective:r-x
group::r-x
group:root:r-x
group:2000:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:Win-AD-GROUP:rwx
default:mask::rwx
default:other::r-x
i looks messy because of unresolved uid/gid's
drwxrwsr-x+ 9 root Win-AD-GROUP 4096 Sep 6 2016 changes1
drwxr-xr-x+ 35 1001 2018 4096 Sep 22 2016 changes2
but it does work.
Just test a bit before you go into production with it.
Systems used here in this setup.
Samba 3.6.x => writes over nfs v3. ( sco unix)
Samba 4.1.17 => writes over nfs v3 ( debian wheezy) ( was debian squeeze. )
Samba 4.5.8 AD DC. Does not write ( debian jessie ) ( as of samba 4.1.x )
Samba 4.5.8 Webserver member AD. ( debian jessie ) writes from win pc.
Share :
[mysecret-www-folder$]
browseable = yes
path = /var/www
read only = no
acl_xattr:ignore system acl = yes
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dmitry via
samba
> Verzonden: woensdag 12 april 2017 14:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Dir ACL through windows and chmod
>
> Thank you, but this did nothing. Users from group 'g02' can access
> folder '01'. But this folder has ACL set up only for group
'g01'
>
>
> > You could investigate using 'access based share enum = yes'
> >
> > and setting the permissions from Windows, see here:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > You will also need to remove these lines:
> >
> > valid users = @"Domain Users" @"Domain
Admins" @all
> > admin users = admin @it
> > # inherit acls = yes
> > force create mode = 0777
> > directory mask = 0770
> > hide unreadable = yes
> >
> > Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba