Hi Rowland, Thank you for the reply and info. On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org> wrote:> On Tue, 13 Jun 2017 09:15:40 +0200 > Neil via samba <samba at lists.samba.org> wrote: > > > OK, this a DC and therefore you will have to do things differently from > a Unix domain member. > > You might as well remove these lines from [global] > > winbind use default domain = yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > The first doesn't work on a DC and the others are built into the > 'samba' deamon and so could be causing problems. > > You should also make the [HR] share look like this: > > [HR] > path = /var/lib/samba/data/data/HR > read only = No > > Now go and read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > You must use Windows ACLs on a DC. >Thanks I've cleaned up the smb.conf (and HR share) and had a full read again, but I'm still not sure how this will prevent users from becoming owner (shows using getfacl as the extended attributes) the files if they save it or if they create a directory.>From what I've seen the only difference I've done, is because I set thepermissions to 777 on the initially I didn't have to set the SeDiskOperatorPrivilege although I was using the user who already had this permission. One other thing is that the current HR share is 100GB's + and changing permissions from the Windows side takes hours, is there a quicker way to set both the sharing permissions and the Security permissions for group HR-group using setfacl? I've tried setting it using setfacl but couldn't seem to get this right. Apologies if I've misunderstood or if I'm missing something. Thank you! Regards. Neil Wilson> Rowland >
On Tue, 13 Jun 2017 12:25:32 +0200 Neil <nwilson123 at gmail.com> wrote:> Hi Rowland, > > Thank you for the reply and info. > > On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org> > wrote: > > > On Tue, 13 Jun 2017 09:15:40 +0200 > > Neil via samba <samba at lists.samba.org> wrote: > > > > > > OK, this a DC and therefore you will have to do things differently > > from a Unix domain member. > > > > You might as well remove these lines from [global] > > > > winbind use default domain = yes > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > The first doesn't work on a DC and the others are built into the > > 'samba' deamon and so could be causing problems. > > > > You should also make the [HR] share look like this: > > > > [HR] > > path = /var/lib/samba/data/data/HR > > read only = No > > > > Now go and read this: > > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > > You must use Windows ACLs on a DC. > > > > Thanks I've cleaned up the smb.conf (and HR share) and had a full read > again, but I'm still not sure how this will prevent users from > becoming owner (shows using getfacl as the extended attributes) the > files if they save it or if they create a directory. > > From what I've seen the only difference I've done, is because I set > the permissions to 777 on the initially I didn't have to set the > SeDiskOperatorPrivilege > although I was using the user who already had this permission.Using '777' means that you now have a wide open share.> > One other thing is that the current HR share is 100GB's + and changing > permissions from the Windows side takes hours, is there a quicker way > to set both the sharing permissions and the Security permissions for > group HR-group using setfacl? I've tried setting it using setfacl but > couldn't seem to get this right. > > Apologies if I've misunderstood or if I'm missing something. > > Thank you! > > Regards. > > Neil Wilson ># getfacl /srv/samba/Demo/ # file: srv/samba/Demo/ # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:domain\040users:rwx group:domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:domain\040users:rwx default:group:domain\040admins:rwx default:mask::rwx default:other::--- This shows that the share directory is owned by root:root and the user root can do anything, but root group members cannot do anything. Extended ACLs for Domain Users and Domain Admins, allow members of these groups to do anything The settings shown on the wiki page are only examples, so you can change them if you wish. If you are going to only administer the share using the 'Administrator' user then you can leave the owner group alone, but if you want to use members of a group, you will need to 'chmod' the group ownership and then give the group the 'SeDiskOperatorPrivilege' Rowland
Im missing from the getfacl command one or both. CREATOR OWNER And/or CREATOR GROUP Especial "Creator Group" is very wise to set. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 13 juni 2017 13:17 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Retaining Permissions on a share > > On Tue, 13 Jun 2017 12:25:32 +0200 > Neil <nwilson123 at gmail.com> wrote: > > > Hi Rowland, > > > > Thank you for the reply and info. > > > > On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org> > > wrote: > > > > > On Tue, 13 Jun 2017 09:15:40 +0200 > > > Neil via samba <samba at lists.samba.org> wrote: > > > > > > > > > OK, this a DC and therefore you will have to do things > differently > > > from a Unix domain member. > > > > > > You might as well remove these lines from [global] > > > > > > winbind use default domain = yes > > > vfs objects = acl_xattr > > > map acl inherit = Yes > > > store dos attributes = Yes > > > > > > The first doesn't work on a DC and the others are built into the > > > 'samba' deamon and so could be causing problems. > > > > > > You should also make the [HR] share look like this: > > > > > > [HR] > > > path = /var/lib/samba/data/data/HR > > > read only = No > > > > > > Now go and read this: > > > > > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_AC > > > Ls > > > > > > You must use Windows ACLs on a DC. > > > > > > > Thanks I've cleaned up the smb.conf (and HR share) and had > a full read > > again, but I'm still not sure how this will prevent users from > > becoming owner (shows using getfacl as the extended attributes) the > > files if they save it or if they create a directory. > > > > From what I've seen the only difference I've done, is because I set > > the permissions to 777 on the initially I didn't have to set the > > SeDiskOperatorPrivilege although I was using the user who > already had > > this permission. > > Using '777' means that you now have a wide open share. > > > > > One other thing is that the current HR share is 100GB's + > and changing > > permissions from the Windows side takes hours, is there a > quicker way > > to set both the sharing permissions and the Security > permissions for > > group HR-group using setfacl? I've tried setting it using > setfacl but > > couldn't seem to get this right. > > > > Apologies if I've misunderstood or if I'm missing something. > > > > Thank you! > > > > Regards. > > > > Neil Wilson > > > > # getfacl /srv/samba/Demo/ > # file: srv/samba/Demo/ > # owner: root > # group: root > user::rwx > user:root:rwx > group::--- > group:root:--- > group:domain\040users:rwx > group:domain\040admins:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:root:--- > default:group:domain\040users:rwx > default:group:domain\040admins:rwx > default:mask::rwx > default:other::--- > > > > This shows that the share directory is owned by root:root and > the user root can do anything, but root group members cannot > do anything. > Extended ACLs for Domain Users and Domain Admins, allow > members of these groups to do anything > > The settings shown on the wiki page are only examples, so you > can change them if you wish. If you are going to only > administer the share using the 'Administrator' user then you > can leave the owner group alone, but if you want to use > members of a group, you will need to 'chmod' the group > ownership and then give the group the 'SeDiskOperatorPrivilege' > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Tue, Jun 13, 2017 at 1:17 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 13 Jun 2017 12:25:32 +0200 > Neil <nwilson123 at gmail.com> wrote: > > > Hi Rowland, > > > > Thank you for the reply and info. > > > > On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org> > > wrote: > > > > > On Tue, 13 Jun 2017 09:15:40 +0200 > > > Neil via samba <samba at lists.samba.org> wrote: > > > > > > > > > OK, this a DC and therefore you will have to do things differently > > > from a Unix domain member. > > > > > > You might as well remove these lines from [global] > > > > > > winbind use default domain = yes > > > vfs objects = acl_xattr > > > map acl inherit = Yes > > > store dos attributes = Yes > > > > > > The first doesn't work on a DC and the others are built into the > > > 'samba' deamon and so could be causing problems. > > > > > > You should also make the [HR] share look like this: > > > > > > [HR] > > > path = /var/lib/samba/data/data/HR > > > read only = No > > > > > > Now go and read this: > > > > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > > > > You must use Windows ACLs on a DC. > > > > > > > Thanks I've cleaned up the smb.conf (and HR share) and had a full read > > again, but I'm still not sure how this will prevent users from > > becoming owner (shows using getfacl as the extended attributes) the > > files if they save it or if they create a directory. > > > > From what I've seen the only difference I've done, is because I set > > the permissions to 777 on the initially I didn't have to set the > > SeDiskOperatorPrivilege > > although I was using the user who already had this permission. > > Using '777' means that you now have a wide open share. >Yes thanks, it was just used to reset permissions initially, I'll use the SeDiskOperatorPrivilege to avoid having to "loosen" the permissions.> > > > One other thing is that the current HR share is 100GB's + and changing > > permissions from the Windows side takes hours, is there a quicker way > > to set both the sharing permissions and the Security permissions for > > group HR-group using setfacl? I've tried setting it using setfacl but > > couldn't seem to get this right. > > > > Apologies if I've misunderstood or if I'm missing something. > > > > Thank you! > > > > Regards. > > > > Neil Wilson > > > > # getfacl /srv/samba/Demo/ > # file: srv/samba/Demo/ > # owner: root > # group: root > user::rwx > user:root:rwx > group::--- > group:root:--- > group:domain\040users:rwx > group:domain\040admins:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:root:--- > default:group:domain\040users:rwx > default:group:domain\040admins:rwx > default:mask::rwx > default:other::--- > > > > This shows that the share directory is owned by root:root and the user > root can do anything, but root group members cannot do anything. > Extended ACLs for Domain Users and Domain Admins, allow members of > these groups to do anything > > The settings shown on the wiki page are only examples, so you can > change them if you wish. If you are going to only administer the share > using the 'Administrator' user then you can leave the owner group > alone, but if you want to use members of a group, you will need to > 'chmod' the group ownership and then give the group the > 'SeDiskOperatorPrivilege' >Great thanks, I didn't realise that I'd need to set the group to the "diskOperatorprivilege" that makes completely sense now! Thank you for your help, I'll go ahead and give this a try. Much appreciated. Regards. Neil Wilson.> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 13 Jun 2017 14:42:13 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Im missing from the getfacl command one or both. > > CREATOR OWNER > And/or > CREATOR GROUP > > Especial "Creator Group" is very wise to set. >They don't seem to be shown by getfacl, even if they are set and show on a windows security tab. Rowland
Hm.. You totaly rights.. Thats annoying.. Report bug? :-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 13 juni 2017 15:18 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Retaining Permissions on a share > > On Tue, 13 Jun 2017 14:42:13 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Im missing from the getfacl command one or both. > > > > CREATOR OWNER > > And/or > > CREATOR GROUP > > > > Especial "Creator Group" is very wise to set. > > > > They don't seem to be shown by getfacl, even if they are set > and show on a windows security tab. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >