Hi,
so you would like to restrict the access to the share definitions? E.g. only
"User1" should be able to access the Share "Private"?
Have you had a look at this documentation?
https://www.samba.org/samba/docs/using_samba/ch09.html
(This doc is quite old but should still apply).
We're running a seperate fileserver which is joined to the SAMDOM DC. Then
we're using
valid users = @"SAMDOM\Domain Users"
to make sure that only domain members are able to access the share. Instead of
Domain Users it's also possible to just use a group or a specific user.
Hope that helps.
Von: Klaus Hartnegg via samba
Gesendet: Donnerstag, 26. April, 17:24
Betreff: [Samba] cannot set share permissions
An: samba at lists.samba.org
Reposting this because there was no reaction. Is it normal that share
permissions cannot be set on an AD-DC? Computer Management of Win7 connects to
the DC, but aborts when I click on "shares". The shares are
accessible, and I can set ACLs in the file system, just not the share
permissions. Is the default that everybody has full access? Then maybe I just
don't need it anyway. Am 18.04.2018 um 16:21 schrieb Klaus Hartnegg via
samba: > Following the wiki page Setting_up_a_Share_Using_Windows_ACLs >
windows shows me this error after clicking on Shares: > > Disk Management
could not start the Virtual Disk Service (VDS) on > 'COMPUTER'. This
can happen if the remote computer does not support VDS, > or if a connection
cannot be established because it was blocked by > Windows Firewall. > >
Tested on a new provisioned AD-DC server. > I can use RSAT tools for
configuring DNS, Users, and GPOs. > Accessing shares and setting filesystem
ACLs also works. > Only setting share permissions fails. -- To unsubscribe
from this list go to the following URL and read the instructions:
https://lists.samba.org/mailman/options/samba
On Thu, 26 Apr 2018 15:32:56 +0000 Waishon via samba <samba at lists.samba.org> wrote:> Hi, > > so you would like to restrict the access to the share definitions? > E.g. only "User1" should be able to access the Share "Private"? > > Have you had a look at this documentation? > https://www.samba.org/samba/docs/using_samba/ch09.html > (This doc is quite old but should still apply). > > We're running a seperate fileserver which is joined to the SAMDOM DC. > Then we're using valid users = @"SAMDOM\Domain Users" > to make sure that only domain members are able to access the share. > Instead of Domain Users it's also possible to just use a group or a > specific user. > > Hope that helps. >I don't think it does ;-) I think the OP is asking the 'share' tab on windows, this doesn't have anything to do with what you have posted. The main tab the OP should be worried about is the 'security' tab (for which a better name would 'NTFS permissions'). Can I also point out that you shouldn't be using any of the old documentation when it comes to a Samba AD DC, you should be reading this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Where it clearly states 'Samba does not support using POSIX ACLs on a DC. You must use Windows ACLs.' Rowland
Hi Rowland, oh that was my fault :) So "valid users" doesn't have any impact on a Samba share when using Windows ACLs and only works for POSIX ACLs? Didn't know that :) Is this because Windows stores the security descriptor in binary in the xattr of the file? And samba doesn't check this attributes against the "valid user" property? Lesson learned :D Thanks ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org> Sent: Thursday, April 26, 2018 5:53:04 PM To: samba at lists.samba.org Subject: Re: [Samba] cannot set share permissions On Thu, 26 Apr 2018 15:32:56 +0000 Waishon via samba <samba at lists.samba.org> wrote:> Hi, > > so you would like to restrict the access to the share definitions? > E.g. only "User1" should be able to access the Share "Private"? > > Have you had a look at this documentation? > https://www.samba.org/samba/docs/using_samba/ch09.html > (This doc is quite old but should still apply). > > We're running a seperate fileserver which is joined to the SAMDOM DC. > Then we're using valid users = @"SAMDOM\Domain Users" > to make sure that only domain members are able to access the share. > Instead of Domain Users it's also possible to just use a group or a > specific user. > > Hope that helps. >I don't think it does ;-) I think the OP is asking the 'share' tab on windows, this doesn't have anything to do with what you have posted. The main tab the OP should be worried about is the 'security' tab (for which a better name would 'NTFS permissions'). Can I also point out that you shouldn't be using any of the old documentation when it comes to a Samba AD DC, you should be reading this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Where it clearly states 'Samba does not support using POSIX ACLs on a DC. You must use Windows ACLs.' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Am 26.04.2018 um 17:32 schrieb Waishon via samba:> so you would like to restrict the access to the share definitions? E.g. only "User1" should be able to access the Share "Private"? > > Have you had a look at this documentation? > https://www.samba.org/samba/docs/using_samba/ch09.html > (This doc is quite old but should still apply). > > We're running a seperate fileserver which is joined to the SAMDOM DC. Then we're using > valid users = @"SAMDOM\Domain Users" > to make sure that only domain members are able to access the share. Instead of Domain Users it's also possible to just use a group or a specific user.I do not want to restrict it, just make sure that everybody has access, even if that default may change at some point in the future. But currently I cannot even see how the share permissions are set. I'm surprised that "valid users" still works in active directory mode. This means there are three items which can restrict access: - "valid users" in the share definition - share permissions in computer-management (which I cannot access) - file system ACLs Klaus
Maybe Matching Threads
- cannot set share permissions
- cannot set share ACLs
- ACL set in Windows not set in Samba
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC