On Sun, 23 Apr 2017 20:53:39 +1000 Henry via samba <samba at lists.samba.org> wrote:> root at aphrodite:~# getfacl -d /srv/samba/data/Testing > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/data/Testing > # owner: root > # group: domain\040admins > > However in Windows I am still unable to edit the "Security" > permissions tab. > "You do not have permission to view or edit this object's permission > settings" > > I am really at a loss here as I am unable to get a Samba share > working with Windows ACLs. Surely it cannot be this complex so what > am I missing. All I want is a Samba share that I can control the > permissions using Windows... >OK, sorry to be so long, but it turned out that I had a problem myself and I had to fix it (amongst other things) Right, if I run this: ls -lad /srv/samba/Demo/ I get this: drwxrwx---+ 3 root unix admins 4096 Apr 11 11:49 /srv/samba/Demo/ Note: I use 'Unix Admins' instead of 'Domain Admins', but it amounts to the same thing. getfacl gives this: getfacl /srv/samba/Demo/ getfacl: Removing leading '/' from absolute path names # file: srv/samba/Demo/ # owner: root # group: unix\040admins user::rwx user:root:rwx group::rwx group:domain\040users:rwx group:unix\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:domain\040users:rwx default:group:unix\040admins:rwx default:mask::rwx default:other::--- and on windows: Share permissions: Everyone Full control unix admins Full control domain users Full control Security: root Full control unix admins Full control domain users Modify, Read & execute, List folder contents, Read, Write One thing it doesn't say on the wiki page, when you grant the SeDiskOperatorPrivilege, you have to do it on the machine that holds the share. So, make sure that Domain Admins, on the machine that holds the share, has the SeDiskOperatorPrivilege. set the Unix permissions as I suggested and then try again from 'Computer Management' on a domain joined windows machine. Make sure that you log in as a user that is a member of Domain Admins. can you also test that the underlying OS knows Domain Admins with: getent group Domain\ Admins If you do not get any output, then this is part of your problem. Rowland
On 2017-04-24 01:44, Rowland Penny wrote:> On Sun, 23 Apr 2017 20:53:39 +1000 > Henry via samba <samba at lists.samba.org> wrote: > >> root at aphrodite:~# getfacl -d /srv/samba/data/Testing >> getfacl: Removing leading '/' from absolute path names >> # file: srv/samba/data/Testing >> # owner: root >> # group: domain\040admins >> >> However in Windows I am still unable to edit the "Security" >> permissions tab. >> "You do not have permission to view or edit this object's permission >> settings" >> >> I am really at a loss here as I am unable to get a Samba share >> working with Windows ACLs. Surely it cannot be this complex so what >> am I missing. All I want is a Samba share that I can control the >> permissions using Windows... >> > > OK, sorry to be so long, but it turned out that I had a problem myself > and I had to fix it (amongst other things) > > Right, if I run this: > > ls -lad /srv/samba/Demo/ > > I get this: > > drwxrwx---+ 3 root unix admins 4096 Apr 11 11:49 /srv/samba/Demo/ > > Note: I use 'Unix Admins' instead of 'Domain Admins', but it amounts to > the same thing. > > getfacl gives this: > > getfacl /srv/samba/Demo/ > getfacl: Removing leading '/' from absolute path names > # file: srv/samba/Demo/ > # owner: root > # group: unix\040admins > user::rwx > user:root:rwx > group::rwx > group:domain\040users:rwx > group:unix\040admins:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:domain\040users:rwx > default:group:unix\040admins:rwx > default:mask::rwx > default:other::--- > > and on windows: > > Share permissions: > > Everyone Full control > unix admins Full control > domain users Full control > > Security: > > root Full control > unix admins Full control > domain users Modify, Read & execute, List folder contents, Read, Write > > One thing it doesn't say on the wiki page, when you grant the > SeDiskOperatorPrivilege, you have to do it on the machine that holds > the share. > > So, make sure that Domain Admins, on the machine that holds the share, > has the SeDiskOperatorPrivilege. set the Unix permissions as I > suggested and then try again from 'Computer Management' on a domain > joined windows machine. > > Make sure that you log in as a user that is a member of Domain Admins. > > can you also test that the underlying OS knows Domain Admins with: > > getent group Domain\ Admins > > If you do not get any output, then this is part of your problem. > > Rowlandhi Rowland... one step forwards thank you. I think I found my mistake. In Windows I was using a domain admins account other than administrator however only administrator has the SeDiskOperatorPrivilege. When I login to Windows as administrator it works. Now with my "testing" share I can do everything I need to ! I have now created a new share following this procedure and it works too :) I have two existing shares that do not display the "Security" tab in Windows and I have double & triple checked everything in Samba. Does Windows/Samba cache the security settings or can I reset the security settings for these two shares and start again from scratch? Thanks
On Mon, 24 Apr 2017 08:59:54 +1000 Henry via samba <samba at lists.samba.org> wrote:> I think I found my mistake. In Windows I was using a domain admins > account other than administrator however only administrator has the > SeDiskOperatorPrivilege. When I login to Windows as administrator it > works. Now with my "testing" share I can do everything I need to ! I > have now created a new share following this procedure and it works > too :)Good, I will update the wiki page.> > I have two existing shares that do not display the "Security" tab in > Windows and I have double & triple checked everything in Samba. > Does Windows/Samba cache the security settings or can I reset the > security settings for these two shares and start again from scratch? >I seem to think that this could be a windows problem, try an internet search about missing security tab. Rowland
> however only administrator has the SeDiskOperatorPrivilegeThats the mistake.. Always give the groups the SePrivileges. Then it works fine if you use a member of "Domain Admins" and set rights. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: maandag 24 april 2017 8:46 > Aan: samba at lists.samba.org > CC: Henry > Onderwerp: Re: [Samba] Setting up a Share Using Windows ACLs > > On Mon, 24 Apr 2017 08:59:54 +1000 > Henry via samba <samba at lists.samba.org> wrote: > > > > I think I found my mistake. In Windows I was using a domain admins > > account other than administrator however only administrator has the > > SeDiskOperatorPrivilege. When I login to Windows as > administrator it > > works. Now with my "testing" share I can do everything I > need to ! I > > have now created a new share following this procedure and > it works too > > :) > > Good, I will update the wiki page. > > > > > I have two existing shares that do not display the > "Security" tab in > > Windows and I have double & triple checked everything in Samba. > > Does Windows/Samba cache the security settings or can I reset the > > security settings for these two shares and start again from scratch? > > > > I seem to think that this could be a windows problem, try an > internet search about missing security tab. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >