Stefan G. Weichinger
2018-Nov-09 08:06 UTC
[Samba] "missing security tab" and related ACL issues
Am 11.09.18 um 10:06 schrieb Rowland Penny via samba:> On Tue, 11 Sep 2018 09:54:32 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> Am 07.09.18 um 20:07 schrieb Rowland Penny via samba: >>> On Fri, 7 Sep 2018 19:09:37 +0200 >>> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: >> >>>> But >>>> >>>> # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U >>>> "mydomain\administrator" >>>> >>>> fails >>>> >>>> also for "mydomain\Domänen-Admins" >>> >>> Why is it 'Domanen-Admins' ? is the dash normal for the German >>> version of Windows ? >>> At least it exists ;-) >>> >>> Is the locale set correctly ? >> >> tried to set the locale to a german one ... >> >> # wbinfo -g >> dom�nencomputer >> dom�nen-benutzer >> dom�nen-g�ste >> dom�nen-admins >> >> still that special char displayed >> >> # wbinfo -g | grep -i adm >> specops endpoint protection report admins >> dnsadmins >> schema-admins >> organisations-admins >> Übereinstimmungen in Binärdatei (Standardeingabe) >> >> this does NOT contain "domänen-admins" >> >> why that? >> >> - >> >> # smb.conf >> >> [global] >> unix charset = iso8859-15 >> >> security = ads >> realm = MYDOMAIN.INTRA >> workgroup = MYDOMAIN >> >> netbios aliases = u1MYDOMAIN >> server string = U1MYDOMAIN >> >> winbind cache time = 10 >> winbind use default domain = yes >> winbind refresh tickets = Yes >> >> template homedir = /mnt/MSA2040/smb/Homes/%D/%U >> >> restrict anonymous = 2 >> domain master = no >> local master = no >> preferred master = no >> invalid users = root bin daemon adm sync shutdown halt mail news \ >> uucp >> obey pam restrictions = yes >> >> interfaces = 192.168.100.4/24 127.0.0.1 >> bind interfaces only = Yes >> >> idmap config * : range = 3000-7999 >> idmap config * : backend = tdb >> idmap config MYDOMAIN : range = 10000-20000 >> idmap config MYDOMAIN : backend = rid >> >> # For ACL support on domain member >> vfs objects = acl_xattr full_audit >> map acl inherit = Yes >> store dos attributes = Yes >> nt acl support = No >> force unknown acl user = Yes >> >> unix extensions = no >> follow symlinks= yes >> wide links= yes >> >> load printers = no >> printcap name = /dev/null >> >> # exe files >> >> acl allow execute always = True >> >> # Audit settings >> full_audit:prefix = %u|%I|%S >> full_audit:failure = connect >> full_audit:success = mkdir rmdir write pwrite rename unlink \ >> chmod fchmod chown fchown ftruncate >> full_audit:facility = local5 >> full_audit:priority = notice >> >> # /etc/nsswitch.conf: >> >> passwd: compat winbind files >> group: compat winbind files >> shadow: compat files >> > > There doesn't seem to be anything wrong there and has I never had that > problem, I am a bit stuck now ;-) > > Perhaps someone else from Germany has had this problem and would care > to post ?I have to revive this thread, yesterday I enabled the kernel options for ACLs there and can use ACLs on the filesystem itself. We still saw now security tab fpr samba shares in Windows. Not as domain-admin, not as member of a user with the needed privilege. The security tab is there for local drives and windows-server-shares, only samba-4.8.6-shares miss it. I will recheck everything ...
Stefan G. Weichinger
2018-Nov-09 14:39 UTC
[Samba] "missing security tab" and related ACL issues
Am 09.11.18 um 09:06 schrieb Stefan G. Weichinger via samba:> We still saw now security tab fpr samba shares in Windows. Not as > domain-admin, not as member of a user with the needed privilege. > > The security tab is there for local drives and windows-server-shares, > only samba-4.8.6-shares miss it. > > I will recheck everything ...# smbd -b | grep HAVE_LIBACL HAVE_LIBACL samba ~ # testparm -sv | grep -i acl Server role: ROLE_DOMAIN_MEMBER acl allow execute always = Yes acl check permissions = Yes acl group control = No acl map full control = Yes force unknown acl user = Yes inherit acls = No map acl inherit = Yes nt acl support = No vfs objects = acl_xattr full_audit acl map full control = No acl map full control = No interesting, 3 lines with "acl map full control" I have 2 shares with "acl map full control = No" is it possible that this is somehow read serially and influences shares below as well? I know that behavior from other software. I added the recommended flags to one test-share now and let the admin there test it.
On Fri, 9 Nov 2018 15:39:55 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 09.11.18 um 09:06 schrieb Stefan G. Weichinger via samba: > > > We still saw now security tab fpr samba shares in Windows. Not as > > domain-admin, not as member of a user with the needed privilege. > > > > The security tab is there for local drives and > > windows-server-shares, only samba-4.8.6-shares miss it. > > > > I will recheck everything ... > > > > # smbd -b | grep HAVE_LIBACL > HAVE_LIBACL > samba ~ # testparm -sv | grep -i acl > > Server role: ROLE_DOMAIN_MEMBER > > acl allow execute always = Yes > acl check permissions = Yes > acl group control = No > acl map full control = Yes > force unknown acl user = Yes > inherit acls = No > map acl inherit = Yes > nt acl support = No > vfs objects = acl_xattr full_audit > acl map full control = No > acl map full control = No > > interesting, 3 lines with "acl map full control" > > I have 2 shares with "acl map full control = No" > > is it possible that this is somehow read serially and influences > shares below as well? I know that behavior from other software. >No, the parameters set on share only affect that share,and they override global settings. Can I make some suggestions ? If this isn't in [global], move it there: map acl inherit = Yes Remove these lines where ever they occur, they are default settings: acl check permissions = Yes acl group control = No acl map full control = Yes inherit acls = No I would remove these, I am sure you don't really need them: force unknown acl user = Yes nt acl support = No acl map full control = No I would also remove this line, as you have it set, any executable can be run, even if it isn't set as an executable: acl allow execute always = Yes If you have any concerns about removing these lines, I suggest you read 'man smb.conf', I think you will see why I suggest removing the lines ;-) Rowland