Hi guys,
I have sernet-samba-ad-4.1.21-11.el6.x86_64 and I keep getting an issue
whereby I reset the folder permissions to default by doing...
setfacl -R -k --remove-all HR
setfacl -d -R --remove-all HR
chown -R root:root HR
chmod -R 777 HR
Then via my AD MMC Computer management, connect to server, then sharing, I
have user A and B part of a group called HR-Users, and I have the group
HR-Users with full access on the folder called HR...
This initially works well, but slowly but surely I start seeing users start
owning the files in the folder they save, and folders that user A creates,
user B can't access etc, because when I look at the folder permissions
it's
owned by the user A etc.
This is my config...
[global]
workgroup = blabla
realm = blabla.local
netbios name = HEADOFFICE
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 160.128.20.4
ntp signd socket directory = /var/lib/samba/ntp_signd
interfaces = 160.128.20.8, 127.0.0.1
bind interfaces only = Yes
acl allow execute always = True
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
debug timestamp = yes
winbind use default domain = yes
template homedir = /home/%ACCOUNTNAME%
template shell = /bin/false
veto files = /copy.exe/host.exe/*.locky/*.lnk/*.ink/*.exe/*.scr/New
Folder.exe/
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
[HR]
path = /var/lib/samba/data/data/HR
read only = No
inherit acls = no
inherit owner = no
inherit permissions = no
acl group control = yes
Sorry if this has been covered before but I can't seem to find a way how to
prevent user A or B etc owning and preventing each other accessing the
files in the same HR share.
Any assistance is appreciated.
Thank you.
On Tue, 13 Jun 2017 09:15:40 +0200 Neil via samba <samba at lists.samba.org> wrote:> Hi guys, > > I have sernet-samba-ad-4.1.21-11.el6.x86_64 and I keep getting an > issue whereby I reset the folder permissions to default by doing... > > setfacl -R -k --remove-all HR > setfacl -d -R --remove-all HR > chown -R root:root HR > chmod -R 777 HR > > Then via my AD MMC Computer management, connect to server, then > sharing, I have user A and B part of a group called HR-Users, and I > have the group HR-Users with full access on the folder called HR... > > This initially works well, but slowly but surely I start seeing users > start owning the files in the folder they save, and folders that user > A creates, user B can't access etc, because when I look at the folder > permissions it's owned by the user A etc. > > This is my config... > > > [global] > workgroup = blabla > realm = blabla.local > netbios name = HEADOFFICE > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 160.128.20.4 > ntp signd socket directory = /var/lib/samba/ntp_signd > interfaces = 160.128.20.8, 127.0.0.1 > bind interfaces only = Yes > acl allow execute always = True > log level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > debug timestamp = yes > winbind use default domain = yes > template homedir = /home/%ACCOUNTNAME% > template shell = /bin/false > veto files = /copy.exe/host.exe/*.locky/*.lnk/*.ink/*.exe/*.scr/New > Folder.exe/ > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > [HR] > path = /var/lib/samba/data/data/HR > read only = No > inherit acls = no > inherit owner = no > inherit permissions = no > acl group control = yes > > Sorry if this has been covered before but I can't seem to find a way > how to prevent user A or B etc owning and preventing each other > accessing the files in the same HR share. > > Any assistance is appreciated. > > Thank you.OK, this a DC and therefore you will have to do things differently from a Unix domain member. You might as well remove these lines from [global] winbind use default domain = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes The first doesn't work on a DC and the others are built into the 'samba' deamon and so could be causing problems. You should also make the [HR] share look like this: [HR] path = /var/lib/samba/data/data/HR read only = No Now go and read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs You must use Windows ACLs on a DC. Rowland
Hi Rowland, Thank you for the reply and info. On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org> wrote:> On Tue, 13 Jun 2017 09:15:40 +0200 > Neil via samba <samba at lists.samba.org> wrote: > > > OK, this a DC and therefore you will have to do things differently from > a Unix domain member. > > You might as well remove these lines from [global] > > winbind use default domain = yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > The first doesn't work on a DC and the others are built into the > 'samba' deamon and so could be causing problems. > > You should also make the [HR] share look like this: > > [HR] > path = /var/lib/samba/data/data/HR > read only = No > > Now go and read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > You must use Windows ACLs on a DC. >Thanks I've cleaned up the smb.conf (and HR share) and had a full read again, but I'm still not sure how this will prevent users from becoming owner (shows using getfacl as the extended attributes) the files if they save it or if they create a directory.>From what I've seen the only difference I've done, is because I set thepermissions to 777 on the initially I didn't have to set the SeDiskOperatorPrivilege although I was using the user who already had this permission. One other thing is that the current HR share is 100GB's + and changing permissions from the Windows side takes hours, is there a quicker way to set both the sharing permissions and the Security permissions for group HR-group using setfacl? I've tried setting it using setfacl but couldn't seem to get this right. Apologies if I've misunderstood or if I'm missing something. Thank you! Regards. Neil Wilson> Rowland >