Marco Shmerykowsky
2019-Feb-19 18:26 UTC
[Samba] Computer Management - Share Security - No Read Access
On 2019-02-18 11:46 am, Rowland Penny via samba wrote:> On Mon, 18 Feb 2019 10:58:01 -0500 > > I have proven that it does work, I have pointed you at the > documentation. > This leads to one of two things: > > You cannot understand the wiki pages and if so, what can you not > understand ? If you can let me know, I will try to clarify it for you > and update the wiki. > > You are not fully following the wiki. > > As I said, it works for myself and numerous other people. > > Rowlandok. I find my eyesight is resulting in stupid typos. I concede that I may have dome something totally stupid due to lack of familiarity with Linux, Windows, etc settings/configurations. However ...... Following https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs ** Samba Extended ACL Support (CHECK - Expected result returned) root at machine253:/# smbd -b |grep HAVE_LIBACL HAVE_LIBACL ** Enable Extended ACL Support in the smb.conf file (CHECK - Specified lines are part of [global] section - Full smb.conf provided) [global] workgroup = INTERNAL security = ADS realm = INTERNAL.COMPANY.COM server string = Samba 4 Client %h winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = yes ## map ids outside of domain to tdb files idmap config *:backend - tdb idmap config *:range = 2000-9999 ## map ids from the domain idmap config INTERNAL : backend = rid idmap config INTERNAL : range = 10000-999999 # uncomment next line to allow login # template shell = /bin/bash template homedir = /home/%U domain master = no local master = no preferred master = no # user administrator workaround username map = /etc/samba/user.map # for ACL support on domain member -> vfs objects = acl_xattr -> map acl inherit = yes -> store dos attributes = yes # disable printing completely # Remove these lines to print load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # logging = 0 # Change the number to raise level log level = 0 [programs] path = /server/programs read only = no ** Granting the SeDiskOperatorPrivilege Privilege (CHECK - results as expected) root at machine253:/# net rpc rights list privileges SeDiskOperatorPrivilege -U "INTERNAL\administrator" Enter INTERNAL\administrator's password: SeDiskOperatorPrivilege: BUILTIN\Administrators INTERNAL\Domain Admins ** Create Share & Set permissions root at sce253:/# ls -la /server drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programs ** Login to Windows10 client with INTERNAL\administrator and launch Server Manager -> Computer Manager Action/Connect to another Computer -> Machine253 Open System Tools/Shared Folders/Shares menu Right click properties of "programs" share Share permissions assigned to INTERNAL\programs (INTERNAL\Programs is a group created which includes users which are allowed to have access to the programs share) Security tab shows: "You must have permissions to view the properties of this object" (The 'Object' is \\Machine253\programs)
Andrew Bartlett
2019-Feb-19 18:39 UTC
[Samba] Computer Management - Share Security - No Read Access
On Tue, 2019-02-19 at 13:26 -0500, Marco Shmerykowsky via samba wrote:> > root at sce253:/# ls -la /server > drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programs > > ** Login to Windows10 client with INTERNAL\administrator > and launch Server Manager -> Computer Manager > > Action/Connect to another Computer -> Machine253 > > Open System Tools/Shared Folders/Shares menu > > Right click properties of "programs" share > > Share permissions assigned to INTERNAL\programs > (INTERNAL\Programs is a group created which includes > users which are allowed to have access to the programs share) > > Security tab shows: > > "You must have permissions to view the properties > of this object" > (The 'Object' is \\Machine253\programs)To be clear, permissions on the share files and folders are distinct to permissions on the share, which is what you are trying to change. ACL support in Samba and the filesystem doesn't change the ability to set share permissions, so the first part is a red herring. To make progress, try setting the share permissions as root. That would tell us a bit more about if the privilege, rather than the fundamental operation, is at fault. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Rowland Penny
2019-Feb-19 18:58 UTC
[Samba] Computer Management - Share Security - No Read Access
On Tue, 19 Feb 2019 13:26:12 -0500 Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:> > On 2019-02-18 11:46 am, Rowland Penny via samba wrote: > > On Mon, 18 Feb 2019 10:58:01 -0500 > > > > I have proven that it does work, I have pointed you at the > > documentation. > > This leads to one of two things: > > > > You cannot understand the wiki pages and if so, what can you not > > understand ? If you can let me know, I will try to clarify it for > > you and update the wiki. > > > > You are not fully following the wiki. > > > > As I said, it works for myself and numerous other people. > > > > Rowland > > ok. I find my eyesight is resulting in stupid typos. > I concede that I may have dome something totally stupid > due to lack of familiarity with Linux, Windows, etc > settings/configurations. > > However ...... > > Following > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > ** Samba Extended ACL Support > (CHECK - Expected result returned) > > root at machine253:/# smbd -b |grep HAVE_LIBACL > HAVE_LIBACL > > ** Enable Extended ACL Support in the smb.conf file > (CHECK - Specified lines are part of [global] section - Full > smb.conf provided) > > [global] > workgroup = INTERNAL > security = ADS > realm = INTERNAL.COMPANY.COM > server string = Samba 4 Client %h > > winbind use default domain = yes > winbind expand groups = 2 > winbind refresh tickets = yes > > ## map ids outside of domain to tdb files > idmap config *:backend - tdb > idmap config *:range = 2000-9999 > > ## map ids from the domain > idmap config INTERNAL : backend = rid > idmap config INTERNAL : range = 10000-999999 > > # uncomment next line to allow login > # template shell = /bin/bash > template homedir = /home/%U > > domain master = no > local master = no > preferred master = no > > # user administrator workaround > username map = /etc/samba/user.mapJust to check, what is in the user.map ?> > # for ACL support on domain member > -> vfs objects = acl_xattr > -> map acl inherit = yes > -> store dos attributes = yes > > # disable printing completely > # Remove these lines to print > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # logging = 0 > # Change the number to raise level > log level = 0 > > [programs] > path = /server/programs > read only = no > > ** Granting the SeDiskOperatorPrivilege Privilege > (CHECK - results as expected) > > root at machine253:/# net rpc rights list privileges > SeDiskOperatorPrivilege -U "INTERNAL\administrator" > Enter INTERNAL\administrator's password: > SeDiskOperatorPrivilege: > BUILTIN\Administrators > INTERNAL\Domain AdminsIf you run 'getent group Domain\ Admins', do you get 'Administrator' listed as a group member e.g. domain_admins:x:10512:administrator,rowland,.........> > ** Create Share & Set permissions > > root at sce253:/# ls -la /server > drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programsSomething seems to have happened, note the '+' sign at the end of the Unix permissions, what does 'getfacl /server' show ?> > ** Login to Windows10 client with INTERNAL\administrator > and launch Server Manager -> Computer Manager > > Action/Connect to another Computer -> Machine253 > > Open System Tools/Shared Folders/Shares menu > > Right click properties of "programs" share > > Share permissions assigned to INTERNAL\programs > (INTERNAL\Programs is a group created which includes > users which are allowed to have access to the programs share) > > Security tab shows: > > "You must have permissions to view the properties > of this object" > (The 'Object' is \\Machine253\programs)This is very strange, it should work, are the 'attr' and 'acl' packages installed ? Rowland
Rowland Penny
2019-Feb-19 19:04 UTC
[Samba] Computer Management - Share Security - No Read Access
On Wed, 20 Feb 2019 07:39:44 +1300 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Tue, 2019-02-19 at 13:26 -0500, Marco Shmerykowsky via samba wrote: > > > > root at sce253:/# ls -la /server > > drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 > > programs > > > > ** Login to Windows10 client with INTERNAL\administrator > > and launch Server Manager -> Computer Manager > > > > Action/Connect to another Computer -> Machine253 > > > > Open System Tools/Shared Folders/Shares menu > > > > Right click properties of "programs" share > > > > Share permissions assigned to INTERNAL\programs > > (INTERNAL\Programs is a group created which includes > > users which are allowed to have access to the programs share) > > > > Security tab shows: > > > > "You must have permissions to view the properties > > of this object" > > (The 'Object' is \\Machine253\programs) > > To be clear, permissions on the share files and folders are distinct > to permissions on the share, which is what you are trying to change.Unless the user changing the permissions from Windows has the required privileges and the right to change the permissions it doesn't work.> > ACL support in Samba and the filesystem doesn't change the ability to > set share permissions, so the first part is a red herring.You must have different herrings in New Zealand ;-)> > To make progress, try setting the share permissions as root. That > would tell us a bit more about if the privilege, rather than the > fundamental operation, is at fault.He is doing this as Administrator, so he should be doing this as root. Rowland> > Andrew Bartlett >
Marco Shmerykowsky
2019-Feb-19 19:44 UTC
[Samba] Computer Management - Share Security - No Read Access
On 2019-02-19 1:58 pm, Rowland Penny via samba wrote:> On Tue, 19 Feb 2019 13:26:12 -0500 > Marco Shmerykowsky via samba <samba at lists.samba.org> wrote: > >> >> On 2019-02-18 11:46 am, Rowland Penny via samba wrote: >> > On Mon, 18 Feb 2019 10:58:01 -0500 >> > >> > I have proven that it does work, I have pointed you at the >> > documentation. >> > This leads to one of two things: >> > >> > You cannot understand the wiki pages and if so, what can you not >> > understand ? If you can let me know, I will try to clarify it for >> > you and update the wiki. >> > >> > You are not fully following the wiki. >> > >> > As I said, it works for myself and numerous other people. >> > >> > Rowland >> >> ok. I find my eyesight is resulting in stupid typos. >> I concede that I may have dome something totally stupid >> due to lack of familiarity with Linux, Windows, etc >> settings/configurations. >> >> However ...... >> >> Following >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> >> ** Samba Extended ACL Support >> (CHECK - Expected result returned) >> >> root at machine253:/# smbd -b |grep HAVE_LIBACL >> HAVE_LIBACL >> >> ** Enable Extended ACL Support in the smb.conf file >> (CHECK - Specified lines are part of [global] section - Full >> smb.conf provided) >> >> [global] >> workgroup = INTERNAL >> security = ADS >> realm = INTERNAL.COMPANY.COM >> server string = Samba 4 Client %h >> >> winbind use default domain = yes >> winbind expand groups = 2 >> winbind refresh tickets = yes >> >> ## map ids outside of domain to tdb files >> idmap config *:backend - tdb >> idmap config *:range = 2000-9999 >> >> ## map ids from the domain >> idmap config INTERNAL : backend = rid >> idmap config INTERNAL : range = 10000-999999 >> >> # uncomment next line to allow login >> # template shell = /bin/bash >> template homedir = /home/%U >> >> domain master = no >> local master = no >> preferred master = no >> >> # user administrator workaround >> username map = /etc/samba/user.map > > Just to check, what is in the user.map ?root at machine253:/etc/samba# cat user.map !root = INTERNAL\Administrator INTERNAL\administrator Administrator administrator> >> >> # for ACL support on domain member >> -> vfs objects = acl_xattr >> -> map acl inherit = yes >> -> store dos attributes = yes >> >> # disable printing completely >> # Remove these lines to print >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> # logging = 0 >> # Change the number to raise level >> log level = 0 >> >> [programs] >> path = /server/programs >> read only = no >> >> ** Granting the SeDiskOperatorPrivilege Privilege >> (CHECK - results as expected) >> >> root at machine253:/# net rpc rights list privileges >> SeDiskOperatorPrivilege -U "INTERNAL\administrator" >> Enter INTERNAL\administrator's password: >> SeDiskOperatorPrivilege: >> BUILTIN\Administrators >> INTERNAL\Domain Admins > > If you run 'getent group Domain\ Admins', do you get 'Administrator' > listed as a group member e.g. > > domain_admins:x:10512:administrator,rowland,.........root at machine253:/etc/samba# getent group Domain\ Admins domain admins:x:10512:administrator> >> >> ** Create Share & Set permissions >> >> root at sce253:/# ls -la /server >> drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 programs > > Something seems to have happened, note the '+' sign at the end of the > Unix permissions, what does 'getfacl /server' show ?root at machine253:/etc/samba# getfacl /server getfacl: Removing leading '/' from absolute path names # file: server # owner: root # group: root user::rwx group::r-x other::r-x> >> >> ** Login to Windows10 client with INTERNAL\administrator >> and launch Server Manager -> Computer Manager >> >> Action/Connect to another Computer -> Machine253 >> >> Open System Tools/Shared Folders/Shares menu >> >> Right click properties of "programs" share >> >> Share permissions assigned to INTERNAL\programs >> (INTERNAL\Programs is a group created which includes >> users which are allowed to have access to the programs share) >> >> Security tab shows: >> >> "You must have permissions to view the properties >> of this object" >> (The 'Object' is \\Machine253\programs) > > This is very strange, it should work, are the 'attr' and 'acl' > packages installed ? > > RowlandI ran this command from the Debian section of the "Distribution specific Package Installation" on the wiki. # apt-get install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user Foe it's worth, Group policy is mapping the drives and the various shares are being restricted to the proper groups. I can also set folder/directory permissions on the share by navigating directly to the share using a UNC path. Just know that the last part of the "Setting Share Permissions and ACL's" on the wiki doesn't allow for anything to be modified on the 'Security' tab. Not sure if this is "as designed" or did I do something which will create problems later.
Apparently Analagous Threads
- Computer Management - Share Security - No Read Access
- Computer Management - Share Security - No Read Access
- Computer Management - Share Security - No Read Access
- Computer Management - Share Security - No Read Access
- Computer Management - Share Security - No Read Access