samba - Feb 2019 - Computer Management - Share Security - No Read Access

On 2019-02-19 1:58 pm, Rowland Penny via samba wrote:
> On Tue, 19 Feb 2019 13:26:12 -0500
> Marco Shmerykowsky via samba <samba at lists.samba.org> wrote:
> 
>> 
>> On 2019-02-18 11:46 am, Rowland Penny via samba wrote:
>> > On Mon, 18 Feb 2019 10:58:01 -0500
>> >
>> > I have proven that it does work, I have pointed you at the
>> > documentation.
>> > This leads to one of two things:
>> >
>> > You cannot understand the wiki pages and if so, what can you not
>> > understand ? If you can let me know, I will try to clarify it for
>> > you and update the wiki.
>> >
>> > You are not fully following the wiki.
>> >
>> > As I said, it works for myself and numerous other people.
>> >
>> > Rowland
>> 
>> ok.  I find my eyesight is resulting in stupid typos.
>> I concede that I may have dome something totally stupid
>> due to lack of familiarity with Linux, Windows, etc
>> settings/configurations.
>> 
>> However ......
>> 
>> Following
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> 
>> ** Samba Extended ACL Support
>>     (CHECK - Expected result returned)
>> 
>> root at machine253:/# smbd -b |grep HAVE_LIBACL
>>     HAVE_LIBACL
>> 
>> ** Enable Extended ACL Support in the smb.conf file
>>     (CHECK - Specified lines are part of [global] section - Full
>> smb.conf provided)
>> 
>> [global]
>>          workgroup = INTERNAL
>>          security = ADS
>>          realm = INTERNAL.COMPANY.COM
>>          server string = Samba 4 Client %h
>> 
>>          winbind use default domain = yes
>>          winbind expand groups = 2
>>          winbind refresh tickets = yes
>> 
>>          ## map ids outside of domain to tdb files
>>          idmap config *:backend - tdb
>>          idmap config *:range = 2000-9999
>> 
>>          ## map ids from the domain
>>          idmap config INTERNAL : backend = rid
>>          idmap config INTERNAL : range = 10000-999999
>> 
>>          # uncomment next line to allow login
>>          # template shell = /bin/bash
>>          template homedir = /home/%U
>> 
>>          domain master =  no
>>          local master = no
>>          preferred master = no
>> 
>>          # user administrator workaround
>>          username map = /etc/samba/user.map
> 
> Just to check, what is in the user.map ?
root at machine253:/etc/samba# cat user.map
!root = INTERNAL\Administrator INTERNAL\administrator Administrator 
administrator
> 
>> 
>>          # for ACL support on domain member
>> ->      vfs objects = acl_xattr
>> ->      map acl inherit = yes
>> ->      store dos attributes = yes
>> 
>>          # disable printing completely
>>          # Remove these lines to print
>>          load printers = no
>>          printing = bsd
>>          printcap name = /dev/null
>>          disable spoolss = yes
>> 
>>          # logging = 0
>>          # Change the number to raise level
>>          log level = 0
>> 
>> [programs]
>>          path = /server/programs
>>          read only = no
>> 
>> ** Granting the SeDiskOperatorPrivilege Privilege
>>     (CHECK - results as expected)
>> 
>> root at machine253:/# net rpc rights list privileges
>> SeDiskOperatorPrivilege -U "INTERNAL\administrator"
>> Enter INTERNAL\administrator's password:
>> SeDiskOperatorPrivilege:
>>    BUILTIN\Administrators
>>    INTERNAL\Domain Admins
> 
> If you run 'getent group Domain\ Admins', do you get
'Administrator'
> listed as a group member e.g.
> 
> domain_admins:x:10512:administrator,rowland,.........
root at machine253:/etc/samba# getent group Domain\ Admins
domain admins:x:10512:administrator
> 
>> 
>> ** Create Share & Set permissions
>> 
>> root at sce253:/# ls -la /server
>> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13 programs
> 
> Something seems to have happened, note the '+' sign at the end of
the
> Unix permissions, what does 'getfacl /server' show ?
root at machine253:/etc/samba# getfacl /server
getfacl: Removing leading '/' from absolute path names
# file: server
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
> 
>> 
>> ** Login to Windows10 client with INTERNAL\administrator
>>     and launch Server Manager -> Computer Manager
>> 
>>     Action/Connect to another Computer -> Machine253
>> 
>>     Open System Tools/Shared Folders/Shares menu
>> 
>>     Right click properties of "programs" share
>> 
>>     Share permissions assigned to INTERNAL\programs
>>     (INTERNAL\Programs is a group created which includes
>>      users which are allowed to have access to the programs share)
>> 
>>     Security tab shows:
>> 
>>     "You must have permissions to view the properties
>>      of this object"
>>     (The 'Object' is \\Machine253\programs)
> 
> This is very strange, it should work, are the 'attr' and
'acl'
> packages installed ?
> 
> Rowland
I ran this command from the Debian section of the
"Distribution specific Package Installation" on the wiki.

# apt-get install samba attr winbind libpam-winbind libnss-winbind 
libpam-krb5 krb5-config krb5-user

Foe it's worth, Group policy is mapping the drives and the
various shares are being restricted to the proper groups.
I can also set folder/directory permissions on the share
by navigating directly to the share using a UNC path.

Just know that the last part of the "Setting Share Permissions
and ACL's" on the wiki doesn't allow for anything to be
modified on the 'Security' tab.

Not sure if this is "as designed" or did I do something
which will create problems later.

On Tue, 19 Feb 2019 14:44:05 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
> >>          # user administrator workaround
> >>          username map = /etc/samba/user.map
> > 
> > Just to check, what is in the user.map ?
> 
> root at machine253:/etc/samba# cat user.map
> !root = INTERNAL\Administrator INTERNAL\administrator Administrator 
> administrator
That should work.
> > 
> > If you run 'getent group Domain\ Admins', do you get
'Administrator'
> > listed as a group member e.g.
> > 
> > domain_admins:x:10512:administrator,rowland,.........
> 
> root at machine253:/etc/samba# getent group Domain\ Admins
> domain admins:x:10512:administrator
If you are logged into the Windows machine as 'INTERNAL\Administrator'
it should work, but if you are using another Domain user, add that user
to the 'Domain Admins' group.
> 
> > 
> >> 
> >> ** Create Share & Set permissions
> >> 
> >> root at sce253:/# ls -la /server
> >> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
> >> programs
> > 
> > Something seems to have happened, note the '+' sign at the end
of
> > the Unix permissions, what does 'getfacl /server' show ?
> 
> root at machine253:/etc/samba# getfacl /server
> getfacl: Removing leading '/' from absolute path names
> # file: server
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
Something is going on here, 'ls' shows 'root:domain admins' as
the
owner:group with 0770 permissions, but getfacl shows 'root:root' as
owner:group with 0755 permissions
> 
> > This is very strange, it should work, are the 'attr' and
'acl'
> > packages installed ?
> > 
> > Rowland
> 
> I ran this command from the Debian section of the
> "Distribution specific Package Installation" on the wiki.
> 
> # apt-get install samba attr winbind libpam-winbind libnss-winbind 
> libpam-krb5 krb5-config krb5-user
'acl' is installed by default
> 
> Foe it's worth, Group policy is mapping the drives and the
> various shares are being restricted to the proper groups.
> I can also set folder/directory permissions on the share
> by navigating directly to the share using a UNC path.
Strange.
> 
> Just know that the last part of the "Setting Share Permissions
> and ACL's" on the wiki doesn't allow for anything to be
> modified on the 'Security' tab.
It should and I have just updated that wiki page.
> 
> Not sure if this is "as designed" or did I do something
> which will create problems later.
Double check Unix ownership and permissions on the share directory,
that is really the only thing that looks wrong.
To remove the ACL's and start again, run:

setfacl -b path/to/directory

reset the unix permissions as shown on the wiki page and then try again
from Windows.

Rowland

On 2019-02-19 3:05 pm, Rowland Penny via samba wrote:
> On Tue, 19 Feb 2019 14:44:05 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
>> 
>> >>          # user administrator workaround
>> >>          username map = /etc/samba/user.map
>> >
>> > Just to check, what is in the user.map ?
>> 
>> root at machine253:/etc/samba# cat user.map
>> !root = INTERNAL\Administrator INTERNAL\administrator Administrator
>> administrator
> 
> That should work.
> 
>> >
>> > If you run 'getent group Domain\ Admins', do you get
'Administrator'
>> > listed as a group member e.g.
>> >
>> > domain_admins:x:10512:administrator,rowland,.........
>> 
>> root at machine253:/etc/samba# getent group Domain\ Admins
>> domain admins:x:10512:administrator
> 
> If you are logged into the Windows machine as
'INTERNAL\Administrator'
> it should work, but if you are using another Domain user, add that user
> to the 'Domain Admins' group.
> 
>> 
>> >
>> >>
>> >> ** Create Share & Set permissions
>> >>
>> >> root at sce253:/# ls -la /server
>> >> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
>> >> programs
>> >
>> > Something seems to have happened, note the '+' sign at the
end of
>> > the Unix permissions, what does 'getfacl /server' show ?
>> 
>> root at machine253:/etc/samba# getfacl /server
>> getfacl: Removing leading '/' from absolute path names
>> # file: server
>> # owner: root
>> # group: root
>> user::rwx
>> group::r-x
>> other::r-x
> 
> Something is going on here, 'ls' shows 'root:domain admins'
as the
> owner:group with 0770 permissions, but getfacl shows 'root:root' as
> owner:group with 0755 permissions
> 
>> 
>> > This is very strange, it should work, are the 'attr' and
'acl'
>> > packages installed ?
>> >
>> > Rowland
>> 
>> I ran this command from the Debian section of the
>> "Distribution specific Package Installation" on the wiki.
>> 
>> # apt-get install samba attr winbind libpam-winbind libnss-winbind
>> libpam-krb5 krb5-config krb5-user
> 
> 'acl' is installed by default
> 
>> 
>> Foe it's worth, Group policy is mapping the drives and the
>> various shares are being restricted to the proper groups.
>> I can also set folder/directory permissions on the share
>> by navigating directly to the share using a UNC path.
> 
> Strange.
> 
>> 
>> Just know that the last part of the "Setting Share Permissions
>> and ACL's" on the wiki doesn't allow for anything to be
>> modified on the 'Security' tab.
> 
> It should and I have just updated that wiki page.
> 
>> 
>> Not sure if this is "as designed" or did I do something
>> which will create problems later.
> 
> Double check Unix ownership and permissions on the share directory,
> that is really the only thing that looks wrong.
> To remove the ACL's and start again, run:
What exactly does "START AGAIN" imply? Just chmod?
> 
> setfacl -b path/to/directory
> 
> reset the unix permissions as shown on the wiki page and then try again
> from Windows.
> 
> Rowland

On Tue, 2019-02-19 at 20:05 +0000, Rowland Penny via samba
wrote:
> On Tue, 19 Feb 2019 14:44:05 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
> > 
> > 
> > > 
> > > > 
> > > >          # user administrator workaround
> > > >          username map = /etc/samba/user.map
> > > Just to check, what is in the user.map ?
> > root at machine253:/etc/samba# cat user.map
> > !root = INTERNAL\Administrator INTERNAL\administrator
> > Administrator 
> > administrator
> That should work.
Does it?  I'm not aware that username map work like this, my
understanding is that it is about mapping pre-authentication usernames
to Samba passdb entries, not domain users after authentication.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba