Im sorry last mail was not complete. ... -> Login to Windows with administrator and connect to FILESERVER via "Computer Management" -> Chosing Demo Share and going to security Tab -> Cant set any ACL because, permission denied! Am 27. Januar 2018 11:35:53 MEZ schrieb Micha Ballmann via samba <samba at lists.samba.org>:>Hello, > >i also fired up a new vm :) and configured "rid" backend. I followed >all >step in >https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs. > >Sett the Attributs in smb.conf: > >vfs objects = acl_xattr >map acl inherit = yes >store dos attributes = yes > >Granting the SeDiskOperatorPrivilege: > ># net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege >-U >(successful after trourbleshoting) > >Adding Share (i just copy and paste the example): > ># mkdir -p /srv/samba/Demo/ ># chown root:"Domain Admins" /srv/samba/Demo/ --> NOW WORKING BECAUSE I > >SET UP RID BACKEND ># chmod 0770 /srv/samba/Demo/ > >smb.conf > >[Demo] > path = /srv/samba/Demo/ > read only = no > >-> Login to Windows with administrator and connect to FILESERVER via >"Computer Management" -> Chosing Demo Share and going to security Tab >-> > >Regarads > >Micha > > >Am 26.01.2018 um 16:31 schrieb Rowland Penny via samba: >> On Fri, 26 Jan 2018 14:18:53 +0000 >> Rowland Penny via samba <samba at lists.samba.org> wrote: >> >>> On Fri, 26 Jan 2018 14:10:40 +0100 >>> Micha Ballmann <ballmann at uni-landau.de> wrote: >>> >>>> To set share windows permissions and windows acl i login on a >>>> windows 7 computer with the administrator user.|Open ||Computer >>>> Management and connect to the fileserver. when im trying now to set >>>> acl i ve no permissions.||||||| >>>> >>> Well, I couldn't understand why it wasn't working, so I fired up a >VM >>> running win7 and guess what, it doesn't work for me either, it did, >>> but it doesn't now :-( >>> >>> I will get back to you. >>> >>> Rowland >>> >> OK, I found out why it wasn't working, I was connecting to a share >that >> belonged to 'root:root' with 'drwxr-xr-x' permissions. >> >> I created a new share: >> >> [data] >> path = /home/testdata >> read only = no >> >> mkdir /home/testdata >> >> getfacl /home/testdata shows this: >> >> getfacl: Removing leading '/' from absolute path names >> # file: home/testdata >> # owner: rowland >> # group: domain\040users >> user::rwx >> user:root:rwx >> group::--- >> group:root:--- >> group:2004:r-x >> group:2005:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:group::--- >> default:group:root:--- >> default:group:2004:r-x >> default:group:2005:rwx >> default:mask::rwx >> default:other::--- >> >> Change the ownership: >> >> chown root:Unix\ Admins /home/testdata >> >> Now go to the Win7 VM and add 'rowland' back as a user with 'Read & >> execute, List folder contents and Read' permissions. This worked >> without error and getfacl now shows: >> >> getfacl: Removing leading '/' from absolute path names >> # file: home/testdata >> # owner: root >> # group: unix\040admins >> user::rwx >> user:root:rwx >> user:rowland:r-x >> group::--- >> group:root:--- >> group:2004:r-x >> group:2005:rwx >> group:unix\040admins:--- >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:rowland:r-x >> default:group::--- >> default:group:root:--- >> default:group:2004:r-x >> default:group:2005:rwx >> default:group:unix\040admins:--- >> default:mask::rwx >> default:other::--- >> >> Do you have these lines in smb.conf: >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> Are the 'acl' and 'attr' packages installed. >> >> Rowland >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba-- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
On Sun, 28 Jan 2018 10:52:47 +0100 Micha Ballmann via samba <samba at lists.samba.org> wrote:> Im sorry last mail was not complete. > > ... > -> Login to Windows with administrator and connect to FILESERVER via > "Computer Management" -> Chosing Demo Share and going to security Tab > -> > > Cant set any ACL because, permission denied! >This is strange, It didn't work for me because the Unix permissions were not set correctly, once I sorted those, it did work. I tried it again, added a share to smb.conf on a Unix domain member: [tmpshare] path = /srv/tmpshare read only = no create the required directory: mkdir /srv/tmpshare check ownership & permissions: ls -lad /srv/tmpshare drwxr-xr-x 2 root root 4096 Jan 28 10:17 /srv/tmpshare Now go to Win7, login as Administrator and do this: Computer Management -> Action -> Connect to another computer ... -> Browse to computer System tools -> ignore error -> Shared folders -> Shares Select 'tmpshare' -> right-click -> select 'Properties' Check what permissions are set: Share Permissions -> Everyone -> Full control Security -> Everyone -> Read & execute, List folder contents, Read root user -> special permissions -> Full control root group -> special permissions -> Traverse folder / execute file, List folder / read data, Read attributes, Read extended attributes, Read permissions CREATOR OWNER -> special permissions -> Full control CREATOR GROUP -> special permissions -> Traverse folder / execute file, List folder / read data, Read attributes, Read extended attributes, Read permissions I Now tried to add a user to 'Security', which seemed to work. Back to the Unix domain member and check the permissions on the directory: ls -lad /srv/tmpshare drwxrwxr-x+ 2 root root 4096 Jan 28 10:17 /srv/tmpshare ^ Notice the addition of the '+' sign, also the group now has 'write' on the directory. Check permissions with 'getfacl' getfacl /srv/tmpshare getfacl: Removing leading '/' from absolute path names # file: srv/tmpshare # owner: root # group: root user::rwx user:root:rwx user:rowland:r-x group::r-x group:root:r-x mask::rwx other::r-x default:user::rwx default:user:root:rwx default:user:rowland:r-x default:group::r-x default:group:root:r-x default:mask::rwx default:other::r-x It worked, the user 'rowland' now has read & execute permissions. If it isn't working for you, then there is obviously something wrong with your setup. Is Selinux or Apparmor running, if so turn it off and try again, if it now works, investigate using Samba with it. If they aren't, please post these files: /etc/hostname /etc/hosts /etc/resolv.conf /etc/krb5.conf /etc/samba/smb.conf Rowland
I found out, when im creating a complete new share, access via computer management - per default there is a share permission set with full controll to "everyone". When im trying now to set ACLs it is working. But when im deleting "everyone" and set Domain Admins and/or Unix Admins and give them full controll, im no more able to set ACLs! Micha Am 28. Januar 2018 12:00:07 MEZ schrieb Rowland Penny via samba <samba at lists.samba.org>:>On Sun, 28 Jan 2018 10:52:47 +0100 >Micha Ballmann via samba <samba at lists.samba.org> wrote: > >> Im sorry last mail was not complete. >> >> ... >> -> Login to Windows with administrator and connect to FILESERVER via >> "Computer Management" -> Chosing Demo Share and going to security Tab >> -> >> >> Cant set any ACL because, permission denied! >> > >This is strange, It didn't work for me because the Unix permissions >were not set correctly, once I sorted those, it did work. > >I tried it again, added a share to smb.conf on a Unix domain member: > >[tmpshare] > path = /srv/tmpshare > read only = no > >create the required directory: > >mkdir /srv/tmpshare > >check ownership & permissions: > >ls -lad /srv/tmpshare >drwxr-xr-x 2 root root 4096 Jan 28 10:17 /srv/tmpshare > >Now go to Win7, login as Administrator and do this: > >Computer Management -> Action -> Connect to another computer ... -> >Browse to computer > >System tools -> ignore error -> Shared folders -> Shares > >Select 'tmpshare' -> right-click -> select 'Properties' > >Check what permissions are set: > >Share Permissions -> Everyone -> Full control > >Security -> Everyone -> Read & execute, List folder contents, Read >root user -> special permissions -> Full control >root group -> special permissions -> Traverse folder / execute file, > List folder / read data, Read attributes, Read extended > attributes, Read permissions >CREATOR OWNER -> special permissions -> Full control >CREATOR GROUP -> special permissions -> Traverse folder / execute file, > List folder / read data, Read attributes, Read extended > attributes, Read permissions > >I Now tried to add a user to 'Security', which seemed to work. > >Back to the Unix domain member and check the permissions on the >directory: > >ls -lad /srv/tmpshare >drwxrwxr-x+ 2 root root 4096 Jan 28 10:17 /srv/tmpshare > ^ Notice the addition of the '+' sign, also the group now has > 'write' on the directory. > >Check permissions with 'getfacl' > >getfacl /srv/tmpshare >getfacl: Removing leading '/' from absolute path names ># file: srv/tmpshare ># owner: root ># group: root >user::rwx >user:root:rwx >user:rowland:r-x >group::r-x >group:root:r-x >mask::rwx >other::r-x >default:user::rwx >default:user:root:rwx >default:user:rowland:r-x >default:group::r-x >default:group:root:r-x >default:mask::rwx >default:other::r-x > >It worked, the user 'rowland' now has read & execute permissions. > >If it isn't working for you, then there is obviously something wrong >with your setup. >Is Selinux or Apparmor running, if so turn it off and try again, if it >now works, investigate using Samba with it. > >If they aren't, please post these files: >/etc/hostname >/etc/hosts >/etc/resolv.conf >/etc/krb5.conf >/etc/samba/smb.conf > >Rowland > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba-- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.