samba - Jan 2018 - Adding Share Windows ACL

I found out, when im creating a complete new share, access via  computer
management - per default there is a share permission set with full controll to
"everyone".

When im trying now to set ACLs it is working. But when im deleting
"everyone" and set Domain Admins and/or Unix Admins and give them full
controll, im no more able to set ACLs!

Micha



Am 28. Januar 2018 12:00:07 MEZ schrieb Rowland Penny via samba <samba at
lists.samba.org>:
>On Sun, 28 Jan 2018 10:52:47 +0100
>Micha Ballmann via samba <samba at lists.samba.org> wrote:
>
>> Im sorry last mail was not complete.
>> 
>> ...
>> -> Login to Windows with administrator and connect to FILESERVER via
>> "Computer Management" -> Chosing Demo Share and going to
security Tab
>> ->
>> 
>> Cant set any ACL because, permission denied!
>> 
>
>This is strange, It didn't work for me because the Unix permissions
>were not set correctly, once I sorted those, it did work.
>
>I tried it again, added a share to smb.conf on a Unix domain member:
>
>[tmpshare]
>    path = /srv/tmpshare
>    read only = no
>
>create the required directory:
>
>mkdir /srv/tmpshare
>
>check ownership & permissions:
>
>ls -lad /srv/tmpshare
>drwxr-xr-x 2 root root 4096 Jan 28 10:17 /srv/tmpshare
>
>Now go to Win7, login as Administrator and do this:
>
>Computer Management -> Action -> Connect to another computer ... ->
>Browse to computer
>
>System tools -> ignore error -> Shared folders -> Shares 
>
>Select 'tmpshare' -> right-click -> select
'Properties'
>
>Check what permissions are set:
>
>Share Permissions -> Everyone -> Full control
>
>Security -> Everyone -> Read & execute, List folder contents, Read
>root user -> special permissions -> Full control
>root group -> special permissions -> Traverse folder / execute file,
>              List folder / read data, Read attributes, Read extended
>              attributes, Read permissions
>CREATOR OWNER -> special permissions ->  Full control
>CREATOR GROUP -> special permissions -> Traverse folder / execute
file,
>                List folder / read data, Read attributes, Read extended
>                 attributes, Read permissions
>
>I Now tried to add a user to 'Security', which seemed to work.
>
>Back to the Unix domain member and check the permissions on the
>directory:
>
>ls -lad /srv/tmpshare
>drwxrwxr-x+ 2 root root 4096 Jan 28 10:17 /srv/tmpshare
>          ^ Notice the addition of the '+' sign, also the group now
has
>          'write' on the directory.
>
>Check permissions with 'getfacl'
>
>getfacl /srv/tmpshare
>getfacl: Removing leading '/' from absolute path names
># file: srv/tmpshare
># owner: root
># group: root
>user::rwx
>user:root:rwx
>user:rowland:r-x
>group::r-x
>group:root:r-x
>mask::rwx
>other::r-x
>default:user::rwx
>default:user:root:rwx
>default:user:rowland:r-x
>default:group::r-x
>default:group:root:r-x
>default:mask::rwx
>default:other::r-x
>
>It worked, the user 'rowland' now has read & execute
permissions.
>
>If it isn't working for you, then there is obviously something wrong
>with your setup.
>Is Selinux or Apparmor running, if so turn it off and try again, if it
>now works, investigate using Samba with it.
>
>If they aren't, please post these files:
>/etc/hostname
>/etc/hosts
>/etc/resolv.conf
>/etc/krb5.conf
>/etc/samba/smb.conf
>
>Rowland
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

On Sun, 28 Jan 2018 15:23:03 +0100
Micha Ballmann <ballmann at uni-landau.de> wrote:
> I found out, when im creating a complete new share, access via
> computer management - per default there is a share permission set
> with full controll to "everyone".
> 
> When im trying now to set ACLs it is working. But when im deleting
> "everyone" and set Domain Admins and/or Unix Admins and give them
> full controll, im no more able to set ACLs!
> 
> Micha
> 
Ah, would it help if I said a better name for the 'Security' tab would
be 'NTFS permissions' ?

Ignore the 'share' tab, make the changes in the 'Security' tab.

Rowland

Hello,

this helped me. I ve read some articles about share permissions and 
security. It is usually or recommended to set the share permission to 
"everyone" (it avoids some complexy mixed structur between share 
permissons and security) with full control and only manage the access 
via ACLs/NTSF permissions. In this case i have no more permission issues 
and i dont need to setup a "unix group" or enable unix attributs for
the
group "domain admins" and the user "administrator".

Thy very much for your great help!

PS: "Now im ignoring the security tab with good conscience"

Am 28.01.2018 um 15:39 schrieb Rowland Penny via samba:
> On Sun, 28 Jan 2018 15:23:03 +0100
> Micha Ballmann <ballmann at uni-landau.de> wrote:
>
>> I found out, when im creating a complete new share, access via
>> computer management - per default there is a share permission set
>> with full controll to "everyone".
>>
>> When im trying now to set ACLs it is working. But when im deleting
>> "everyone" and set Domain Admins and/or Unix Admins and give
them
>> full controll, im no more able to set ACLs!
>>
>> Micha
>>
> Ah, would it help if I said a better name for the 'Security' tab
would
> be 'NTFS permissions' ?
>
> Ignore the 'share' tab, make the changes in the 'Security'
tab.
>
> Rowland
>