Marco Shmerykowsky
2019-Feb-19 21:42 UTC
[Samba] Computer Management - Share Security - No Read Access
--- Marco J. Shmerykowsky, P.E. marco at sce-engineers.com -------------------------------------------- Shmerykowsky Consulting Engineers Structural Analysis & Design 102 West 38th Street, 2nd Floor New York, New York 10018 Tel. (212)719-9700 Fax. (212)719-4822 http://www.sce-engineers.com -------------------------------------------- On 2019-02-19 4:22 pm, Rowland Penny via samba wrote:> On Tue, 19 Feb 2019 16:13:27 -0500 > Marco Shmerykowsky <marco at sce-engineers.com> wrote: > >> >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote: >> > On Tue, 19 Feb 2019 15:25:51 -0500 >> >> >> What exactly does "START AGAIN" imply? Just chmod? >> > >> > 'ls' shows the correct ownership and Unix permissions: >> > >> > drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 >> > programs >> > >> > But 'getfacl' show something different: >> > >> > getfacl: Removing leading '/' from absolute path names >> > # file: server >> > # owner: root >> > # group: root >> > user::rwx >> > group::r-x >> > other::r-x >> > >> > So what I am suggesting is that you use 'setfacl' to remove the >> > extended ACL's, it is the only thing I can see different between my >> > working system and your non-working system >> > >> > Rowland >> >> root at machine253:/server# setfacl -b /server/users >> >> root at machine253:/server# chmod 0770 /server/programs >> root at machine253:/server# ls -l >> total 20 >> drwxrwx--- 4 root domain admins 4096 Feb 17 19:13 programs >> >> >> root at machine253:/server# getfacl /server/programs >> getfacl: Removing leading '/' from absolute path names >> # file: server/programs >> # owner: root >> # group: domain\040admins >> user::rwx >> group::rwx >> other::--- >> >> No Change > > When you say 'No Change' I take it you mean that it is still not > working from Windows, because there is a change on the Unix side, > 'Domain Admins' now has the required Unix permissions.Correct. In Computer Manager I can not access anything on the share except for the share permissions. I've also been trying to create "user directory" using %LogonUser% via a group profile. That deosn't seem to be working, but I don't know if it's related.> > One other thing, I cannot remember asking if Apparmor or Selinux is > installed and enabled. > > RowlandI tried sestatus and apparmor_status and bith returned 'command not found' so I assume they're not running. I installed Debian 9 from the LiveCD with the cinnamon desktop.
Rowland Penny
2019-Feb-19 22:05 UTC
[Samba] Computer Management - Share Security - No Read Access
On Tue, 19 Feb 2019 16:42:44 -0500 Marco Shmerykowsky <marco at sce-engineers.com> wrote:> > > --- > Marco J. Shmerykowsky, P.E. > marco at sce-engineers.com > > -------------------------------------------- > Shmerykowsky Consulting Engineers > Structural Analysis & Design > 102 West 38th Street, 2nd Floor > New York, New York 10018 > Tel. (212)719-9700 Fax. (212)719-4822 > http://www.sce-engineers.com > -------------------------------------------- > > On 2019-02-19 4:22 pm, Rowland Penny via samba wrote: > > On Tue, 19 Feb 2019 16:13:27 -0500 > > Marco Shmerykowsky <marco at sce-engineers.com> wrote: > > > >> > >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote: > >> > On Tue, 19 Feb 2019 15:25:51 -0500 > >> > >> >> What exactly does "START AGAIN" imply? Just chmod? > >> > > >> > 'ls' shows the correct ownership and Unix permissions: > >> > > >> > drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 > >> > programs > >> > > >> > But 'getfacl' show something different: > >> > > >> > getfacl: Removing leading '/' from absolute path names > >> > # file: server > >> > # owner: root > >> > # group: root > >> > user::rwx > >> > group::r-x > >> > other::r-x > >> > > >> > So what I am suggesting is that you use 'setfacl' to remove the > >> > extended ACL's, it is the only thing I can see different between > >> > my working system and your non-working system > >> > > >> > Rowland > >> > >> root at machine253:/server# setfacl -b /server/users > >> > >> root at machine253:/server# chmod 0770 /server/programs > >> root at machine253:/server# ls -l > >> total 20 > >> drwxrwx--- 4 root domain admins 4096 Feb 17 19:13 programs > >> > >> > >> root at machine253:/server# getfacl /server/programs > >> getfacl: Removing leading '/' from absolute path names > >> # file: server/programs > >> # owner: root > >> # group: domain\040admins > >> user::rwx > >> group::rwx > >> other::--- > >> > >> No Change > > > > When you say 'No Change' I take it you mean that it is still not > > working from Windows, because there is a change on the Unix side, > > 'Domain Admins' now has the required Unix permissions. > > Correct. In Computer Manager I can not access anything on the > share except for the share permissions. > > I've also been trying to create "user directory" using %LogonUser% > via a group profile. That deosn't seem to be working, but I don't > know if it's related. > > > > One other thing, I cannot remember asking if Apparmor or Selinux is > > installed and enabled. > > > > Rowland > > I tried sestatus and apparmor_status and bith returned 'command not > found' > so I assume they're not running. I installed Debian 9 from the LiveCD > with the cinnamon desktop.OK, it is late here, but just in case something has changed, I will set up a new Debian 9 VM tommorrow, install the distro Samba Packages and follow the Samba wiki page. Can you confirm that you are using Samba from Debian 9. You seem to be using '/server' as the shared directory, is this correct ? What Windows version are you using ? (I know you may have already said, but it saves me looking it up) Rowland
Marco Shmerykowsky
2019-Feb-19 22:13 UTC
[Samba] Computer Management - Share Security - No Read Access
>> On 2019-02-19 4:22 pm, Rowland Penny via samba wrote: >> > On Tue, 19 Feb 2019 16:13:27 -0500 >> > Marco Shmerykowsky <marco at sce-engineers.com> wrote: >> > >> >> >> >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote: >> >> > On Tue, 19 Feb 2019 15:25:51 -0500 >> >> >> >> >> What exactly does "START AGAIN" imply? Just chmod? >> >> > >> >> > 'ls' shows the correct ownership and Unix permissions: >> >> > >> >> > drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 >> >> > programs >> >> > >> >> > But 'getfacl' show something different: >> >> > >> >> > getfacl: Removing leading '/' from absolute path names >> >> > # file: server >> >> > # owner: root >> >> > # group: root >> >> > user::rwx >> >> > group::r-x >> >> > other::r-x >> >> > >> >> > So what I am suggesting is that you use 'setfacl' to remove the >> >> > extended ACL's, it is the only thing I can see different between >> >> > my working system and your non-working system >> >> > >> >> > Rowland >> >> >> >> root at machine253:/server# setfacl -b /server/users >> >> >> >> root at machine253:/server# chmod 0770 /server/programs >> >> root at machine253:/server# ls -l >> >> total 20 >> >> drwxrwx--- 4 root domain admins 4096 Feb 17 19:13 programs >> >> >> >> >> >> root at machine253:/server# getfacl /server/programs >> >> getfacl: Removing leading '/' from absolute path names >> >> # file: server/programs >> >> # owner: root >> >> # group: domain\040admins >> >> user::rwx >> >> group::rwx >> >> other::--- >> >> >> >> No Change >> > >> > When you say 'No Change' I take it you mean that it is still not >> > working from Windows, because there is a change on the Unix side, >> > 'Domain Admins' now has the required Unix permissions. >> >> Correct. In Computer Manager I can not access anything on the >> share except for the share permissions. >> >> I've also been trying to create "user directory" using %LogonUser% >> via a group profile. That deosn't seem to be working, but I don't >> know if it's related. >> > >> > One other thing, I cannot remember asking if Apparmor or Selinux is >> > installed and enabled. >> > >> > Rowland >> >> I tried sestatus and apparmor_status and bith returned 'command not >> found' >> so I assume they're not running. I installed Debian 9 from the LiveCD >> with the cinnamon desktop. > > OK, it is late here, but just in case something has changed, I will set > up a new Debian 9 VM tommorrow, install the distro Samba Packages and > follow the Samba wiki page. > > Can you confirm that you are using Samba from Debian 9. > You seem to be using '/server' as the shared directory, is this > correct ? > What Windows version are you using ? (I know you may have already said, > but it saves me looking it up) > > RowlandDebian 9 -> uname -r -> 4.9.0-8-686 This is the iso I used: https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-9.8.0-amd64-cinnamon.iso Windows 10 (version 1803) The file directory for the various shares is '/server'
L.P.H. van Belle
2019-Feb-19 22:30 UTC
[Samba] Computer Management - Share Security - No Read Access
I suggest you start with : 1770 /server (+ creator owner ) 3770 /server/programs ( + creator owner + creator group. ) Then check again with getfacl Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Shmerykowsky via samba > Verzonden: dinsdag 19 februari 2019 23:13 > Aan: Rowland Penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Computer Management - Share Security - > No Read Access > > > >> On 2019-02-19 4:22 pm, Rowland Penny via samba wrote: > >> > On Tue, 19 Feb 2019 16:13:27 -0500 > >> > Marco Shmerykowsky <marco at sce-engineers.com> wrote: > >> > > >> >> > >> >> On 2019-02-19 3:47 pm, Rowland Penny via samba wrote: > >> >> > On Tue, 19 Feb 2019 15:25:51 -0500 > >> >> > >> >> >> What exactly does "START AGAIN" imply? Just chmod? > >> >> > > >> >> > 'ls' shows the correct ownership and Unix permissions: > >> >> > > >> >> > drwxrwx---+ 4 root domain admins 4096 Feb 17 19:13 > >> >> > programs > >> >> > > >> >> > But 'getfacl' show something different: > >> >> > > >> >> > getfacl: Removing leading '/' from absolute path names > >> >> > # file: server > >> >> > # owner: root > >> >> > # group: root > >> >> > user::rwx > >> >> > group::r-x > >> >> > other::r-x > >> >> > > >> >> > So what I am suggesting is that you use 'setfacl' to > remove the > >> >> > extended ACL's, it is the only thing I can see > different between > >> >> > my working system and your non-working system > >> >> > > >> >> > Rowland > >> >> > >> >> root at machine253:/server# setfacl -b /server/users > >> >> > >> >> root at machine253:/server# chmod 0770 /server/programs > >> >> root at machine253:/server# ls -l > >> >> total 20 > >> >> drwxrwx--- 4 root domain admins 4096 Feb 17 > 19:13 programs > >> >> > >> >> > >> >> root at machine253:/server# getfacl /server/programs > >> >> getfacl: Removing leading '/' from absolute path names > >> >> # file: server/programs > >> >> # owner: root > >> >> # group: domain\040admins > >> >> user::rwx > >> >> group::rwx > >> >> other::--- > >> >> > >> >> No Change > >> > > >> > When you say 'No Change' I take it you mean that it is still not > >> > working from Windows, because there is a change on the Unix side, > >> > 'Domain Admins' now has the required Unix permissions. > >> > >> Correct. In Computer Manager I can not access anything on the > >> share except for the share permissions. > >> > >> I've also been trying to create "user directory" using %LogonUser% > >> via a group profile. That deosn't seem to be working, but I don't > >> know if it's related. > >> > > >> > One other thing, I cannot remember asking if Apparmor or > Selinux is > >> > installed and enabled. > >> > > >> > Rowland > >> > >> I tried sestatus and apparmor_status and bith returned 'command not > >> found' > >> so I assume they're not running. I installed Debian 9 > from the LiveCD > >> with the cinnamon desktop. > > > > OK, it is late here, but just in case something has > changed, I will set > > up a new Debian 9 VM tommorrow, install the distro Samba > Packages and > > follow the Samba wiki page. > > > > Can you confirm that you are using Samba from Debian 9. > > You seem to be using '/server' as the shared directory, is this > > correct ? > > What Windows version are you using ? (I know you may have > already said, > > but it saves me looking it up) > > > > Rowland > > Debian 9 -> uname -r -> 4.9.0-8-686 > > This is the iso I used: > https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-9.8.0-amd64-cinnamon.iso> > Windows 10 (version 1803) > > The file directory for the various shares is '/server' > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2019-Feb-19 22:32 UTC
[Samba] Computer Management - Share Security - No Read Access
Oeps. missed this .> > The file directory for the various shares is '/server' > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Then setup 3770 on /server 3770 on /server/programs You want your "domain admins" member to have write access in /server
Rowland Penny
2019-Feb-20 11:02 UTC
[Samba] Computer Management - Share Security - No Read Access
On Tue, 19 Feb 2019 22:05:12 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> OK, it is late here, but just in case something has changed, I will > set up a new Debian 9 VM tommorrow, install the distro Samba Packages > and follow the Samba wiki page. > > Can you confirm that you are using Samba from Debian 9. > You seem to be using '/server' as the shared directory, is this > correct ? > What Windows version are you using ? (I know you may have already > said, but it saves me looking it up) > > Rowland >OK, it (as I expected) works, I will clean up my notes and send the OP a copy. Rowland
Rowland Penny
2019-Feb-20 14:26 UTC
[Samba] Computer Management - Share Security - No Read Access {FOLLOWUP}
On Wed, 20 Feb 2019 09:11:23 -0500 Marco Shmerykowsky <marco at sce-engineers.com> wrote:> > Interesting.... > > It seems that there is something that "lingers" with > respect to a share definition. > > I had also created a "users" share. No amount of tweaking > seemed to allow the Security tab to assign permissions. > > However, I noticed that if I removed the share in samba > & restarted. The share disappeared in "Computer Management." > Seem logical. > > I reactivated the share in smb.conf, restarted samba and > the share reappeared in "Computer Management". It also > had the same Share Level permissions set as before. > > I thought that removal and redefinition of the share > would clear any permissions. The '+' never appears > on the permissions of the directory on the Linux side. > > So.... I renamed the share in smb.conf from [users] to > [personal]. > > Same directory (/server/users). > Same permissions (0770). > Same ownership (root:"Domain Admins") > > restarted samba. Back to "Computer Management" > Suddenly, full access to everything - just like it's supposed to. > > Any explanation?Not really, unless 'users' is a Windows name that cannot be used elsewhere in the domain. Rowland
Marco Shmerykowsky
2019-Feb-21 15:39 UTC
[Samba] Computer Management - Share Security - No Read Access
On 2019-02-20 7:12 am, Rowland Penny wrote:> On Wed, 20 Feb 2019 11:02:55 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > >> On Tue, 19 Feb 2019 22:05:12 +0000 >> Rowland Penny via samba <samba at lists.samba.org> wrote: >> >> > OK, it is late here, but just in case something has changed, I will >> > set up a new Debian 9 VM tommorrow, install the distro Samba >> > Packages and follow the Samba wiki page. >> > >> > Can you confirm that you are using Samba from Debian 9. >> > You seem to be using '/server' as the shared directory, is this >> > correct ? >> > What Windows version are you using ? (I know you may have already >> > said, but it saves me looking it up) >> > >> > Rowland >> > >> >> OK, it (as I expected) works, I will clean up my notes and send the OP >> a copy. >> >> RowlandSorry to be a pain on this, but something just refuses to work as I would expect. I've tried the following: 1) remove the share definition from smb.conf 2) Restart smbd 3) Remove (delete) the share directory from Linux 4) Check "Computer Management" on windows - Share is Gone 5) mkdir -p /server/share-files 6) chown root:"Domain Admins" /server/share-files 7) chmod 0770 /server/share-files 8) getfacl /server/share-files -> permissions match 0770 8) Restore (un-comment) share definition in smb.conf -> [share-files] -> path = /server/share-files -> read only = no 9) smbcontrol all reload-config 10) restart smbd 11) Go into "Computer Management" on windows & get to "Shares" on machine253 Here is what I find odd. The "Share permissions" tab lists one of the groups I previously defined. It is not a windows "built-in" group. I created it using samba-tool on the AD. If I removed the share and then recreated it, I would expect a 'default' listing of groups. Instead I seem to be getting a previous "historical" group listing if I reuse the same share names or directory names. Two more things: After all of this clicking and changing, I do not get the '+' on the directory permissions. It still reads as a basic 0770. It seems having this in the share is critical to normal behavior. At least once that appeared on my other server - those shares started exhibiting normal behavior. Second, I've discovered that if I add the "Everyone" group to the "Share Permissions" then suddenly I can modify the Security tab. If I remove the "Everyone group" then it eventually reverts to giving me the following error: "You must have Read permissions to view the properties of this object" where the object in question is "\\Machine253\share. Nothing is appearing in the log.smbd file after the last "daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections " Thoughts?
Rowland Penny
2019-Feb-21 15:57 UTC
[Samba] Computer Management - Share Security - No Read Access
On Thu, 21 Feb 2019 10:39:47 -0500 Marco Shmerykowsky <marco at sce-engineers.com> wrote:> > On 2019-02-20 7:12 am, Rowland Penny wrote: > > On Wed, 20 Feb 2019 11:02:55 +0000 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > >> On Tue, 19 Feb 2019 22:05:12 +0000 > >> Rowland Penny via samba <samba at lists.samba.org> wrote: > >> > >> > OK, it is late here, but just in case something has changed, I > >> > will set up a new Debian 9 VM tommorrow, install the distro Samba > >> > Packages and follow the Samba wiki page. > >> > > >> > Can you confirm that you are using Samba from Debian 9. > >> > You seem to be using '/server' as the shared directory, is this > >> > correct ? > >> > What Windows version are you using ? (I know you may have already > >> > said, but it saves me looking it up) > >> > > >> > Rowland > >> > > >> > >> OK, it (as I expected) works, I will clean up my notes and send > >> the OP a copy. > >> > >> Rowland > > Sorry to be a pain on this, but something just refuses to work > as I would expect. I've tried the following: > > 1) remove the share definition from smb.conf > 2) Restart smbd > 3) Remove (delete) the share directory from Linux > 4) Check "Computer Management" on windows - Share is Gone > 5) mkdir -p /server/share-files > 6) chown root:"Domain Admins" /server/share-files > 7) chmod 0770 /server/share-files > 8) getfacl /server/share-files > -> permissions match 0770 > 8) Restore (un-comment) share definition in smb.conf > -> [share-files] > -> path = /server/share-files > -> read only = no > 9) smbcontrol all reload-config > 10) restart smbdIf you do '9', you don't need to do '10'> 11) Go into "Computer Management" on windows & get to > "Shares" on machine253 > > Here is what I find odd. The "Share permissions" tab lists > one of the groups I previously defined. It is not a windows > "built-in" group. I created it using samba-tool on the AD.Ignore the 'shares' tab, just use the 'security' tab, for which a better name would be 'NTFS permissions'> > If I removed the share and then recreated it, I would expect > a 'default' listing of groups. Instead I seem to be getting a > previous "historical" group listing if I reuse the same > share names or directory names. > > Two more things: > > After all of this clicking and changing, I do not get the > '+' on the directory permissions. It still reads as a > basic 0770. It seems having this in the share is critical > to normal behavior. At least once that appeared on my > other server - those shares started exhibiting normal > behavior. > > Second, I've discovered that if I add the "Everyone" group > to the "Share Permissions" then suddenly I can modify > the Security tab. If I remove the "Everyone group" then > it eventually reverts to giving me the following error:As I said above, ignore the 'Share' tab, leave 'Everyone' there. I go now to update the wiki page (again). Rowland