Marco Shmerykowsky
2019-Feb-18 15:58 UTC
[Samba] Computer Management - Share Security - No Read Access
Perhaps I missed a permission change on the shared directory? It's supposed to be set to 0770, correct? I created the directory from root - can't recall what the permissions where or if I chmod'd it. Would a goof on that result in the inability to set permissions when using the windows administrator account. Basically the behavior I'm seeing? On 2019-02-18 3:36 am, Viktor Trojanovic via samba wrote:> My domain admins group doesn't have this privilege and I can still set > security permissions from Windows just fine, though I've been doing it > using the default domain administrator account so I can't comment if > that's different from using another domain admin account. > > net rpc rights list privileges looks as follows in my case: > > SeDiskOperatorPrivilege: SAMDOM\Domain Admins > SeSecurityPrivilege: BUILTIN\Administrators > > > On 18.02.2019 03:49, Marco J Shmerykowsky PE via samba wrote: >> No. If it was mentioned in any of the samba docs consulted, then I >> missed it. >> >> >> >> On February 17, 2019 9:43:18 PM EST, Luke Barone via samba >> <samba at lists.samba.org> wrote: >>> Did you add the seSecurityPrivilege permission for Domain Admins as >>> well? >>> >>> On Sun, Feb 17, 2019 at 3:13 PM Marco Shmerykowsky via samba < >>> samba at lists.samba.org> wrote: >>> >>>> Can't figure out what is going on. >>>> >>>> I define the shares in smb.conf >>>> >>>> [share] >>>> path = /server/share >>>> read on = no >>>> >>>> When I go to "Computer Management" in Windows I >>>> can create the share and I can set Share Permissions. >>>> >>>> However, when I go to the "Security" tab for the >>>> share I get "You must have Read permissions to >>>> view the properties of this object" >>>> >>>> I set SeDiskOperatorPrivilege for Domain Admins >>>> on the server with the share. I'm using a domain >>>> admin account to access the snap-ins. >>>> >>>> What am I missing? >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> -- To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2019-Feb-18 16:46 UTC
[Samba] Computer Management - Share Security - No Read Access
On Mon, 18 Feb 2019 10:58:01 -0500 Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:> Perhaps I missed a permission change on the shared directory? > > It's supposed to be set to 0770, correct? I created the > directory from root - can't recall what the permissions > where or if I chmod'd it. > > Would a goof on that result in the inability to set permissions > when using the windows administrator account. Basically the > behavior I'm seeing? >I have proven that it does work, I have pointed you at the documentation. This leads to one of two things: You cannot understand the wiki pages and if so, what can you not understand ? If you can let me know, I will try to clarify it for you and update the wiki. You are not fully following the wiki. As I said, it works for myself and numerous other people. Rowland
Marco Shmerykowsky
2019-Feb-19 18:26 UTC
[Samba] Computer Management - Share Security - No Read Access
On 2019-02-18 11:46 am, Rowland Penny via samba wrote:> On Mon, 18 Feb 2019 10:58:01 -0500 > > I have proven that it does work, I have pointed you at the > documentation. > This leads to one of two things: > > You cannot understand the wiki pages and if so, what can you not > understand ? If you can let me know, I will try to clarify it for you > and update the wiki. > > You are not fully following the wiki. > > As I said, it works for myself and numerous other people. > > Rowlandok. I find my eyesight is resulting in stupid typos. I concede that I may have dome something totally stupid due to lack of familiarity with Linux, Windows, etc settings/configurations. However ...... Following https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs ** Samba Extended ACL Support (CHECK - Expected result returned) root at machine253:/# smbd -b |grep HAVE_LIBACL HAVE_LIBACL ** Enable Extended ACL Support in the smb.conf file (CHECK - Specified lines are part of [global] section - Full smb.conf provided) [global] workgroup = INTERNAL security = ADS realm = INTERNAL.COMPANY.COM server string = Samba 4 Client %h winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = yes ## map ids outside of domain to tdb files idmap config *:backend - tdb idmap config *:range = 2000-9999 ## map ids from the domain idmap config INTERNAL : backend = rid idmap config INTERNAL : range = 10000-999999 # uncomment next line to allow login # template shell = /bin/bash template homedir = /home/%U domain master = no local master = no preferred master = no # user administrator workaround username map = /etc/samba/user.map # for ACL support on domain member -> vfs objects = acl_xattr -> map acl inherit = yes -> store dos attributes = yes # disable printing completely # Remove these lines to print load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # logging = 0 # Change the number to raise level log level = 0 [programs] path = /server/programs read only = no ** Granting the SeDiskOperatorPrivilege Privilege (CHECK - results as expected) root at machine253:/# net rpc rights list privileges SeDiskOperatorPrivilege -U "INTERNAL\administrator" Enter INTERNAL\administrator's password: SeDiskOperatorPrivilege: BUILTIN\Administrators INTERNAL\Domain Admins ** Create Share & Set permissions root at sce253:/# ls -la /server drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programs ** Login to Windows10 client with INTERNAL\administrator and launch Server Manager -> Computer Manager Action/Connect to another Computer -> Machine253 Open System Tools/Shared Folders/Shares menu Right click properties of "programs" share Share permissions assigned to INTERNAL\programs (INTERNAL\Programs is a group created which includes users which are allowed to have access to the programs share) Security tab shows: "You must have permissions to view the properties of this object" (The 'Object' is \\Machine253\programs)