samba - Feb 2019 - Computer Management - Share Security - No Read Access

On 2019-02-19 3:05 pm, Rowland Penny via samba wrote:
> On Tue, 19 Feb 2019 14:44:05 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
>> 
>> >>          # user administrator workaround
>> >>          username map = /etc/samba/user.map
>> >
>> > Just to check, what is in the user.map ?
>> 
>> root at machine253:/etc/samba# cat user.map
>> !root = INTERNAL\Administrator INTERNAL\administrator Administrator
>> administrator
> 
> That should work.
> 
>> >
>> > If you run 'getent group Domain\ Admins', do you get
'Administrator'
>> > listed as a group member e.g.
>> >
>> > domain_admins:x:10512:administrator,rowland,.........
>> 
>> root at machine253:/etc/samba# getent group Domain\ Admins
>> domain admins:x:10512:administrator
> 
> If you are logged into the Windows machine as
'INTERNAL\Administrator'
> it should work, but if you are using another Domain user, add that user
> to the 'Domain Admins' group.
> 
>> 
>> >
>> >>
>> >> ** Create Share & Set permissions
>> >>
>> >> root at sce253:/# ls -la /server
>> >> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13
>> >> programs
>> >
>> > Something seems to have happened, note the '+' sign at the
end of
>> > the Unix permissions, what does 'getfacl /server' show ?
>> 
>> root at machine253:/etc/samba# getfacl /server
>> getfacl: Removing leading '/' from absolute path names
>> # file: server
>> # owner: root
>> # group: root
>> user::rwx
>> group::r-x
>> other::r-x
> 
> Something is going on here, 'ls' shows 'root:domain admins'
as the
> owner:group with 0770 permissions, but getfacl shows 'root:root' as
> owner:group with 0755 permissions
> 
>> 
>> > This is very strange, it should work, are the 'attr' and
'acl'
>> > packages installed ?
>> >
>> > Rowland
>> 
>> I ran this command from the Debian section of the
>> "Distribution specific Package Installation" on the wiki.
>> 
>> # apt-get install samba attr winbind libpam-winbind libnss-winbind
>> libpam-krb5 krb5-config krb5-user
> 
> 'acl' is installed by default
> 
>> 
>> Foe it's worth, Group policy is mapping the drives and the
>> various shares are being restricted to the proper groups.
>> I can also set folder/directory permissions on the share
>> by navigating directly to the share using a UNC path.
> 
> Strange.
> 
>> 
>> Just know that the last part of the "Setting Share Permissions
>> and ACL's" on the wiki doesn't allow for anything to be
>> modified on the 'Security' tab.
> 
> It should and I have just updated that wiki page.
> 
>> 
>> Not sure if this is "as designed" or did I do something
>> which will create problems later.
> 
> Double check Unix ownership and permissions on the share directory,
> that is really the only thing that looks wrong.
> To remove the ACL's and start again, run:
What exactly does "START AGAIN" imply? Just chmod?
> 
> setfacl -b path/to/directory
> 
> reset the unix permissions as shown on the wiki page and then try again
> from Windows.
> 
> Rowland

On Tue, 19 Feb 2019 15:25:51 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
> On 2019-02-19 3:05 pm, Rowland Penny via samba wrote:
> > On Tue, 19 Feb 2019 14:44:05 -0500
> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> > 
> >> 
> >> >>          # user administrator workaround
> >> >>          username map = /etc/samba/user.map
> >> >
> >> > Just to check, what is in the user.map ?
> >> 
> >> root at machine253:/etc/samba# cat user.map
> >> !root = INTERNAL\Administrator INTERNAL\administrator
Administrator
> >> administrator
> > 
> > That should work.
> > 
> >> >
> >> > If you run 'getent group Domain\ Admins', do you get
> >> > 'Administrator' listed as a group member e.g.
> >> >
> >> > domain_admins:x:10512:administrator,rowland,.........
> >> 
> >> root at machine253:/etc/samba# getent group Domain\ Admins
> >> domain admins:x:10512:administrator
> > 
> > If you are logged into the Windows machine as
> > 'INTERNAL\Administrator' it should work, but if you are using
> > another Domain user, add that user to the 'Domain Admins'
group.
> > 
> >> 
> >> >
> >> >>
> >> >> ** Create Share & Set permissions
> >> >>
> >> >> root at sce253:/# ls -la /server
> >> >> drwxrwx---+  4 root          domain admins 4096 Feb 17
19:13
> >> >> programs
> >> >
> >> > Something seems to have happened, note the '+' sign
at the end of
> >> > the Unix permissions, what does 'getfacl /server'
show ?
> >> 
> >> root at machine253:/etc/samba# getfacl /server
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: server
> >> # owner: root
> >> # group: root
> >> user::rwx
> >> group::r-x
> >> other::r-x
> > 
> > Something is going on here, 'ls' shows 'root:domain
admins' as the
> > owner:group with 0770 permissions, but getfacl shows
'root:root' as
> > owner:group with 0755 permissions
> > 
> >> 
> >> > This is very strange, it should work, are the 'attr'
and 'acl'
> >> > packages installed ?
> >> >
> >> > Rowland
> >> 
> >> I ran this command from the Debian section of the
> >> "Distribution specific Package Installation" on the
wiki.
> >> 
> >> # apt-get install samba attr winbind libpam-winbind libnss-winbind
> >> libpam-krb5 krb5-config krb5-user
> > 
> > 'acl' is installed by default
> > 
> >> 
> >> Foe it's worth, Group policy is mapping the drives and the
> >> various shares are being restricted to the proper groups.
> >> I can also set folder/directory permissions on the share
> >> by navigating directly to the share using a UNC path.
> > 
> > Strange.
> > 
> >> 
> >> Just know that the last part of the "Setting Share
Permissions
> >> and ACL's" on the wiki doesn't allow for anything to
be
> >> modified on the 'Security' tab.
> > 
> > It should and I have just updated that wiki page.
> > 
> >> 
> >> Not sure if this is "as designed" or did I do something
> >> which will create problems later.
> > 
> > Double check Unix ownership and permissions on the share directory,
> > that is really the only thing that looks wrong.
> > To remove the ACL's and start again, run:
> 
> What exactly does "START AGAIN" imply? Just chmod?
'ls' shows the correct ownership and Unix permissions:
 
drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13 programs

But 'getfacl' show something different:

getfacl: Removing leading '/' from absolute path names
# file: server
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

So what I am suggesting is that you use 'setfacl' to remove the
extended ACL's, it is the only thing I can see different between my
working system and your non-working system

Rowland

On 2019-02-19 3:47 pm, Rowland Penny via samba wrote:
> On Tue, 19 Feb 2019 15:25:51 -0500
>> What exactly does "START AGAIN" imply? Just chmod?
> 
> 'ls' shows the correct ownership and Unix permissions:
> 
> drwxrwx---+  4 root          domain admins 4096 Feb 17 19:13 programs
> 
> But 'getfacl' show something different:
> 
> getfacl: Removing leading '/' from absolute path names
> # file: server
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
> 
> So what I am suggesting is that you use 'setfacl' to remove the
> extended ACL's, it is the only thing I can see different between my
> working system and your non-working system
> 
> Rowland
root at machine253:/server# setfacl -b /server/users

root at machine253:/server# chmod 0770 /server/programs
root at machine253:/server# ls -l
total 20
drwxrwx--- 4 root          domain admins 4096 Feb 17 19:13 programs


root at machine253:/server# getfacl /server/programs
getfacl: Removing leading '/' from absolute path names
# file: server/programs
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

No Change