samba - Feb 2019 - Computer Management - Share Security - No Read Access

I suggest you start with : 
1770 /server	(+ creator owner ) 
3770 /server/programs ( + creator owner + creator group. ) 

Then check again with getfacl


Greetz, 

Louis 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Shmerykowsky via samba
> Verzonden: dinsdag 19 februari 2019 23:13
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Computer Management - Share Security - 
> No Read Access
> 
> 
> >> On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:
> >> > On Tue, 19 Feb 2019 16:13:27 -0500
> >> > Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> >> >
> >> >>
> >> >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote:
> >> >> > On Tue, 19 Feb 2019 15:25:51 -0500
> >> >>
> >> >> >> What exactly does "START AGAIN" imply?
Just chmod?
> >> >> >
> >> >> > 'ls' shows the correct ownership and Unix
permissions:
> >> >> >
> >> >> > drwxrwx---+  4 root          domain admins 4096 Feb
17 19:13
> >> >> > programs
> >> >> >
> >> >> > But 'getfacl' show something different:
> >> >> >
> >> >> > getfacl: Removing leading '/' from absolute
path names
> >> >> > # file: server
> >> >> > # owner: root
> >> >> > # group: root
> >> >> > user::rwx
> >> >> > group::r-x
> >> >> > other::r-x
> >> >> >
> >> >> > So what I am suggesting is that you use
'setfacl' to
> remove the
> >> >> > extended ACL's, it is the only thing I can see 
> different between
> >> >> > my working system and your non-working system
> >> >> >
> >> >> > Rowland
> >> >>
> >> >> root at machine253:/server# setfacl -b /server/users
> >> >>
> >> >> root at machine253:/server# chmod 0770 /server/programs
> >> >> root at machine253:/server# ls -l
> >> >> total 20
> >> >> drwxrwx--- 4 root          domain admins 4096 Feb 17 
> 19:13 programs
> >> >>
> >> >>
> >> >> root at machine253:/server# getfacl /server/programs
> >> >> getfacl: Removing leading '/' from absolute path
names
> >> >> # file: server/programs
> >> >> # owner: root
> >> >> # group: domain\040admins
> >> >> user::rwx
> >> >> group::rwx
> >> >> other::---
> >> >>
> >> >> No Change
> >> >
> >> > When you say 'No Change' I take it you mean that it
is still not
> >> > working from Windows, because there is a change on the Unix
side,
> >> > 'Domain Admins' now has the required Unix
permissions.
> >> 
> >> Correct.  In Computer Manager I can not access anything on the
> >> share except for the share permissions.
> >> 
> >> I've also been trying to create "user directory"
using %LogonUser%
> >> via a group profile.  That deosn't seem to be working, but I
don't
> >> know if it's related.
> >> >
> >> > One other thing, I cannot remember asking if Apparmor or 
> Selinux is
> >> > installed and enabled.
> >> >
> >> > Rowland
> >> 
> >> I tried sestatus and apparmor_status and bith returned
'command not
> >> found'
> >> so I assume they're not running.  I installed Debian 9 
> from the LiveCD
> >> with the cinnamon desktop.
> > 
> > OK, it is late here, but just in case something has 
> changed, I will set
> > up a new Debian 9 VM tommorrow, install the distro Samba 
> Packages and
> > follow the Samba wiki page.
> > 
> > Can you confirm that you are using Samba from Debian 9.
> > You seem to be using '/server' as the shared directory, is
this
> > correct ?
> > What Windows version are you using ? (I know you may have 
> already said,
> > but it saves me looking it up)
> > 
> > Rowland
> 
> Debian 9 -> uname -r -> 4.9.0-8-686
> 
> This is the iso I used: 
> https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hy
brid/debian-live-9.8.0-amd64-cinnamon.iso
> 
> Windows 10 (version 1803)
> 
> The file directory for the various shares is '/server'
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

I'm getting an inkling on the problem.

In my OLD WinNT style Domain setup, I copies all my
files to another windows machine.  I then setup the
new server and once I established a connection which
I thought was stable, I copied all the files back
to the new server on the AD Domain.

I strongly suspect that the problem has to do with
the resulting ACLs and permissions from copying between
the two domains.



On 2019-02-19 5:30 pm, L.P.H. van Belle wrote:
> I suggest you start with :
> 1770 /server	(+ creator owner )
> 3770 /server/programs ( + creator owner + creator group. )
> 
> Then check again with getfacl
> 
> 
> Greetz,
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Marco Shmerykowsky via samba
>> Verzonden: dinsdag 19 februari 2019 23:13
>> Aan: Rowland Penny
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Computer Management - Share Security -
>> No Read Access
>> 
>> 
>> >> On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:
>> >> > On Tue, 19 Feb 2019 16:13:27 -0500
>> >> > Marco Shmerykowsky <marco at sce-engineers.com>
wrote:
>> >> >
>> >> >>
>> >> >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote:
>> >> >> > On Tue, 19 Feb 2019 15:25:51 -0500
>> >> >>
>> >> >> >> What exactly does "START AGAIN"
imply? Just chmod?
>> >> >> >
>> >> >> > 'ls' shows the correct ownership and
Unix permissions:
>> >> >> >
>> >> >> > drwxrwx---+  4 root          domain admins 4096
Feb 17 19:13
>> >> >> > programs
>> >> >> >
>> >> >> > But 'getfacl' show something different:
>> >> >> >
>> >> >> > getfacl: Removing leading '/' from
absolute path names
>> >> >> > # file: server
>> >> >> > # owner: root
>> >> >> > # group: root
>> >> >> > user::rwx
>> >> >> > group::r-x
>> >> >> > other::r-x
>> >> >> >
>> >> >> > So what I am suggesting is that you use
'setfacl' to
>> remove the
>> >> >> > extended ACL's, it is the only thing I can
see
>> different between
>> >> >> > my working system and your non-working system
>> >> >> >
>> >> >> > Rowland
>> >> >>
>> >> >> root at machine253:/server# setfacl -b /server/users
>> >> >>
>> >> >> root at machine253:/server# chmod 0770
/server/programs
>> >> >> root at machine253:/server# ls -l
>> >> >> total 20
>> >> >> drwxrwx--- 4 root          domain admins 4096 Feb 17
>> 19:13 programs
>> >> >>
>> >> >>
>> >> >> root at machine253:/server# getfacl /server/programs
>> >> >> getfacl: Removing leading '/' from absolute
path names
>> >> >> # file: server/programs
>> >> >> # owner: root
>> >> >> # group: domain\040admins
>> >> >> user::rwx
>> >> >> group::rwx
>> >> >> other::---
>> >> >>
>> >> >> No Change
>> >> >
>> >> > When you say 'No Change' I take it you mean that
it is still not
>> >> > working from Windows, because there is a change on the
Unix side,
>> >> > 'Domain Admins' now has the required Unix
permissions.
>> >>
>> >> Correct.  In Computer Manager I can not access anything on the
>> >> share except for the share permissions.
>> >>
>> >> I've also been trying to create "user directory"
using %LogonUser%
>> >> via a group profile.  That deosn't seem to be working, but
I don't
>> >> know if it's related.
>> >> >
>> >> > One other thing, I cannot remember asking if Apparmor or
>> Selinux is
>> >> > installed and enabled.
>> >> >
>> >> > Rowland
>> >>
>> >> I tried sestatus and apparmor_status and bith returned
'command not
>> >> found'
>> >> so I assume they're not running.  I installed Debian 9
>> from the LiveCD
>> >> with the cinnamon desktop.
>> >
>> > OK, it is late here, but just in case something has
>> changed, I will set
>> > up a new Debian 9 VM tommorrow, install the distro Samba
>> Packages and
>> > follow the Samba wiki page.
>> >
>> > Can you confirm that you are using Samba from Debian 9.
>> > You seem to be using '/server' as the shared directory, is
this
>> > correct ?
>> > What Windows version are you using ? (I know you may have
>> already said,
>> > but it saves me looking it up)
>> >
>> > Rowland
>> 
>> Debian 9 -> uname -r -> 4.9.0-8-686
>> 
>> This is the iso I used:
>> https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hy
> brid/debian-live-9.8.0-amd64-cinnamon.iso
>> 
>> Windows 10 (version 1803)
>> 
>> The file directory for the various shares is '/server'
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>>

I somehow got one server to behave properly. (I created shares on two different
but similarly configured servers).

The difference between the server that 'works' and the one that
'doesn't ' appears to have to do with the assignment of ACL's to
the root of the share. In the case of the wiki example, it would be the
"Demo" in /srv/samba/Demo.

The permissions for the properly behaved directory have a '+'  at the
end of the definition (ex. drwxr_xr_x+).  Not sure how I created it tho'
--

Marco J. Shmerykowsky, PE, F.ASCE
marco at sce-engineers.com

-----------------------------------------------------------------
Shmerykowsky Consulting Engineers
        Structural Analysis & Design
     102 West 38th Street, 2nd Floor
         New York, New York 10018
Tel. (212) 719-9700 Fax. (212) 719-4822
      http://www.sce-engineers.com
 ----------------------------------------------------------------


On February 19, 2019 6:27:14 PM EST, Marco Shmerykowsky via samba <samba at
lists.samba.org> wrote:
>I'm getting an inkling on the problem.
>
>In my OLD WinNT style Domain setup, I copies all my
>files to another windows machine.  I then setup the
>new server and once I established a connection which
>I thought was stable, I copied all the files back
>to the new server on the AD Domain.
>
>I strongly suspect that the problem has to do with
>the resulting ACLs and permissions from copying between
>the two domains.
>
>
>
>On 2019-02-19 5:30 pm, L.P.H. van Belle wrote:
>> I suggest you start with :
>> 1770 /server	(+ creator owner )
>> 3770 /server/programs ( + creator owner + creator group. )
>> 
>> Then check again with getfacl
>> 
>> 
>> Greetz,
>> 
>> Louis
>> 
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Marco Shmerykowsky via samba
>>> Verzonden: dinsdag 19 februari 2019 23:13
>>> Aan: Rowland Penny
>>> CC: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Computer Management - Share Security -
>>> No Read Access
>>> 
>>> 
>>> >> On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:
>>> >> > On Tue, 19 Feb 2019 16:13:27 -0500
>>> >> > Marco Shmerykowsky <marco at sce-engineers.com>
wrote:
>>> >> >
>>> >> >>
>>> >> >> On 2019-02-19 3:47 pm, Rowland Penny via samba
wrote:
>>> >> >> > On Tue, 19 Feb 2019 15:25:51 -0500
>>> >> >>
>>> >> >> >> What exactly does "START
AGAIN" imply? Just chmod?
>>> >> >> >
>>> >> >> > 'ls' shows the correct ownership and
Unix permissions:
>>> >> >> >
>>> >> >> > drwxrwx---+  4 root          domain admins
4096 Feb 17 19:13
>>> >> >> > programs
>>> >> >> >
>>> >> >> > But 'getfacl' show something
different:
>>> >> >> >
>>> >> >> > getfacl: Removing leading '/' from
absolute path names
>>> >> >> > # file: server
>>> >> >> > # owner: root
>>> >> >> > # group: root
>>> >> >> > user::rwx
>>> >> >> > group::r-x
>>> >> >> > other::r-x
>>> >> >> >
>>> >> >> > So what I am suggesting is that you use
'setfacl' to
>>> remove the
>>> >> >> > extended ACL's, it is the only thing I
can see
>>> different between
>>> >> >> > my working system and your non-working
system
>>> >> >> >
>>> >> >> > Rowland
>>> >> >>
>>> >> >> root at machine253:/server# setfacl -b
/server/users
>>> >> >>
>>> >> >> root at machine253:/server# chmod 0770
/server/programs
>>> >> >> root at machine253:/server# ls -l
>>> >> >> total 20
>>> >> >> drwxrwx--- 4 root          domain admins 4096 Feb
17
>>> 19:13 programs
>>> >> >>
>>> >> >>
>>> >> >> root at machine253:/server# getfacl
/server/programs
>>> >> >> getfacl: Removing leading '/' from
absolute path names
>>> >> >> # file: server/programs
>>> >> >> # owner: root
>>> >> >> # group: domain\040admins
>>> >> >> user::rwx
>>> >> >> group::rwx
>>> >> >> other::---
>>> >> >>
>>> >> >> No Change
>>> >> >
>>> >> > When you say 'No Change' I take it you mean
that it is still
>not
>>> >> > working from Windows, because there is a change on
the Unix
>side,
>>> >> > 'Domain Admins' now has the required Unix
permissions.
>>> >>
>>> >> Correct.  In Computer Manager I can not access anything on
the
>>> >> share except for the share permissions.
>>> >>
>>> >> I've also been trying to create "user
directory" using
>%LogonUser%
>>> >> via a group profile.  That deosn't seem to be working,
but I
>don't
>>> >> know if it's related.
>>> >> >
>>> >> > One other thing, I cannot remember asking if Apparmor
or
>>> Selinux is
>>> >> > installed and enabled.
>>> >> >
>>> >> > Rowland
>>> >>
>>> >> I tried sestatus and apparmor_status and bith returned
'command
>not
>>> >> found'
>>> >> so I assume they're not running.  I installed Debian 9
>>> from the LiveCD
>>> >> with the cinnamon desktop.
>>> >
>>> > OK, it is late here, but just in case something has
>>> changed, I will set
>>> > up a new Debian 9 VM tommorrow, install the distro Samba
>>> Packages and
>>> > follow the Samba wiki page.
>>> >
>>> > Can you confirm that you are using Samba from Debian 9.
>>> > You seem to be using '/server' as the shared
directory, is this
>>> > correct ?
>>> > What Windows version are you using ? (I know you may have
>>> already said,
>>> > but it saves me looking it up)
>>> >
>>> > Rowland
>>> 
>>> Debian 9 -> uname -r -> 4.9.0-8-686
>>> 
>>> This is the iso I used:
>>> https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hy
>> brid/debian-live-9.8.0-amd64-cinnamon.iso
>>> 
>>> Windows 10 (version 1803)
>>> 
>>> The file directory for the various shares is '/server'
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

After you have set the new rights with chmod, yes, then you need to assign the
rights again, once, from within windows.
thats how you got the drwxr_xr_x+ . back. 
 
Yes, the root of the share, thats the one often missed. 
 
If you share .. i'll take you Demo as example. 
/srv/samba/Demo.  
 
/srv should never be shared, but you need to have 755 here, as "non-linux
users" (ad users), you need to "walk through as other" /srv  (77)
 > 5 < ( minimal 1)
Always create a subfolder first and use that one as share.
 
/srv/samba   1770 or 3770 or 3775, this all depends on what /how your going to
setup. 
      samba ( the share root) must have "domain admins and/or domain
users"  again, depends on setup a bit.
      And here your "share" acl's also kick in, but if the
underlaying filesystem does not allow you to write, you are unable to change
anything.
      I prefer at this point, 3775  3 ( creator group )  ( 7, Administrator, ) (
7, Domain admins)  (5,  other)
            you can change the last 5 also to 1.  so only x  right, that allows
walk through" in windows.
 
      Now you ready to admin your server, with user Administrator and he with
the group members,
        can setup create new folders and adjust the share acl from within
windows.
 
        Last Note here. /srv/samba if samba is shared here then you need to
allow "Domain Admins" to write also on /srv
    a simple test, ! but it kills you current rights, chmod 777 /srv  and try to
change the rights.
    Or your unable to adjust from within windows. 
        
 
/srv/samba/Demo about the same as /srv/samba 
    in my opinion, only use 3770 set a "Data_group"  on this
folder,  and keep "domain users" as primary group.
    the Data group members are allowed to do anything in the folder but all
files/folders get "domain users" as primary group.
        Here i suggest 2 or 3 groups, depends a bit on the use also. 
        Data_group_rw    ( allow read write ) 
        Data_group_r     ( allow read )
    Data_group_Admins    ( full control ) 
        just remember the resulting file/folder right after Demo ( example
/srv/samba/Demo/NewFolderHere )
    NewFolderHere gets "domain users", which is correct. 
    The Data_groups are only used to allow access or not. 
 
    This is how i mix windows and linux rights and this is also why my NFSv4
works with automounts.
    
       
I really suggest people to setup a few shares and test this, it wil help you in
your setup.
 
1- use groups as much you can. 
2- Dont assign users for ACL's execpt Administrator.
3- setup a a normal windows server and it just works. 
 
Creator owner/Creator group are always forgotten but the most powerfull groups
where it comes to correct rights..
 
If you think i was talking in ridles above, let me know, i'll try to make a
better example.
 
 
Greetz, 
 
Louis
 

Van: Marco J Shmerykowsky PE [mailto:marco at sce-engineers.com] 
Verzonden: woensdag 20 februari 2019 4:09
Aan: L.P.H. van Belle; Marco Shmerykowsky via samba
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Computer Management - Share Security - No Read Access



I somehow got one server to behave properly. (I created shares on two different
but similarly configured servers).

The difference between the server that 'works' and the one that
'doesn't ' appears to have to do with the assignment of ACL's to
the root of the share. In the case of the wiki example, it would be the
"Demo" in /srv/samba/Demo.

The permissions for the properly behaved directory have a '+' at the end
of the definition (ex. drwxr_xr_x+). Not sure how I created it tho'
--

Marco J. Shmerykowsky, PE, F.ASCE
marco at sce-engineers.com Shmerykowsky Consulting Engineers
Structural Analysis & Design
102 West 38th Street, 2nd Floor
New York, New York 10018
Tel. (212) 719-9700 Fax. (212) 719-4822
http://www.sce-engineers.com 

On February 19, 2019 6:27:14 PM EST, Marco Shmerykowsky via samba <samba at
lists.samba.org> wrote:
I'm getting an inkling on the problem.

In my OLD WinNT style Domain setup, I copies all my
files to another windows machine. I then setup the
new server and once I established a connection which
I thought was stable, I copied all the files back
to the new server on the AD Domain.

I strongly suspect that the problem has to do with
the resulting ACLs and permissions from copying between
the two domains.



On 2019-02-19 5:30 pm, L.P.H. van Belle wrote:
I suggest you start with :
1770 /server (+ creator owner )
3770 /server/programs ( + creator owner + creator group. )

Then check again with getfacl


Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Marco Shmerykowsky via samba
Verzonden: dinsdag 19 februari 2019 23:13
Aan: Rowland Penny
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Computer Management - Share Security -
No Read Access


On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:
On Tue, 19 Feb 2019 16:13:27 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:


On 2019-02-19 3:47 pm, Rowland Penny via samba wrote:
On Tue, 19 Feb 2019 15:25:51 -0500

What exactly does "START AGAIN" imply? Just chmod?

'ls' shows the correct ownership and Unix permissions:

drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13
programs

But 'getfacl' show something different:

getfacl: Removing leading '/' from absolute path names
# file: server
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

So what I am suggesting is that you use 'setfacl' to
remove the
extended ACL's, it is the only thing I can see
different between
my working system and your non-working system

Rowland

root at machine253:/server# setfacl -b /server/users

root at machine253:/server# chmod 0770 /server/programs
root at machine253:/server# ls -l
total 20
drwxrwx--- 4 root domain admins 4096 Feb 17
19:13 programs


root at machine253:/server# getfacl /server/programs
getfacl: Removing leading '/' from absolute path names
# file: server/programs
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

No Change

When you say 'No Change' I take it you mean that it is still not
working from Windows, because there is a change on the Unix side,
'Domain Admins' now has the required Unix permissions.

Correct. In Computer Manager I can not access anything on the
share except for the share permissions.

I've also been trying to create "user directory" using %LogonUser%
via a group profile. That deosn't seem to be working, but I don't
know if it's related.

One other thing, I cannot remember asking if Apparmor or
Selinux is
installed and enabled.

Rowland

I tried sestatus and apparmor_status and bith returned 'command not
found'
so I assume they're not running. I installed Debian 9
from the LiveCD
with the cinnamon desktop.

OK, it is late here, but just in case something has
changed, I will set
up a new Debian 9 VM tommorrow, install the distro Samba
Packages and
follow the Samba wiki page.

Can you confirm that you are using Samba from Debian 9.
You seem to be using '/server' as the shared directory, is this
correct ?
What Windows version are you using ? (I know you may have
already said,
but it saves me looking it up)

Rowland

Debian 9 -> uname -r -> 4.9.0-8-686

This is the iso I used:
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hy
brid/debian-live-9.8.0-amd64-cinnamon.iso

Windows 10 (version 1803)

The file directory for the various shares is '/server'

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba