Rowland Penny
2019-Feb-21 15:57 UTC
[Samba] Computer Management - Share Security - No Read Access
On Thu, 21 Feb 2019 10:39:47 -0500 Marco Shmerykowsky <marco at sce-engineers.com> wrote:> > On 2019-02-20 7:12 am, Rowland Penny wrote: > > On Wed, 20 Feb 2019 11:02:55 +0000 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > >> On Tue, 19 Feb 2019 22:05:12 +0000 > >> Rowland Penny via samba <samba at lists.samba.org> wrote: > >> > >> > OK, it is late here, but just in case something has changed, I > >> > will set up a new Debian 9 VM tommorrow, install the distro Samba > >> > Packages and follow the Samba wiki page. > >> > > >> > Can you confirm that you are using Samba from Debian 9. > >> > You seem to be using '/server' as the shared directory, is this > >> > correct ? > >> > What Windows version are you using ? (I know you may have already > >> > said, but it saves me looking it up) > >> > > >> > Rowland > >> > > >> > >> OK, it (as I expected) works, I will clean up my notes and send > >> the OP a copy. > >> > >> Rowland > > Sorry to be a pain on this, but something just refuses to work > as I would expect. I've tried the following: > > 1) remove the share definition from smb.conf > 2) Restart smbd > 3) Remove (delete) the share directory from Linux > 4) Check "Computer Management" on windows - Share is Gone > 5) mkdir -p /server/share-files > 6) chown root:"Domain Admins" /server/share-files > 7) chmod 0770 /server/share-files > 8) getfacl /server/share-files > -> permissions match 0770 > 8) Restore (un-comment) share definition in smb.conf > -> [share-files] > -> path = /server/share-files > -> read only = no > 9) smbcontrol all reload-config > 10) restart smbdIf you do '9', you don't need to do '10'> 11) Go into "Computer Management" on windows & get to > "Shares" on machine253 > > Here is what I find odd. The "Share permissions" tab lists > one of the groups I previously defined. It is not a windows > "built-in" group. I created it using samba-tool on the AD.Ignore the 'shares' tab, just use the 'security' tab, for which a better name would be 'NTFS permissions'> > If I removed the share and then recreated it, I would expect > a 'default' listing of groups. Instead I seem to be getting a > previous "historical" group listing if I reuse the same > share names or directory names. > > Two more things: > > After all of this clicking and changing, I do not get the > '+' on the directory permissions. It still reads as a > basic 0770. It seems having this in the share is critical > to normal behavior. At least once that appeared on my > other server - those shares started exhibiting normal > behavior. > > Second, I've discovered that if I add the "Everyone" group > to the "Share Permissions" then suddenly I can modify > the Security tab. If I remove the "Everyone group" then > it eventually reverts to giving me the following error:As I said above, ignore the 'Share' tab, leave 'Everyone' there. I go now to update the wiki page (again). Rowland
Marco Shmerykowsky
2019-Feb-21 16:12 UTC
[Samba] Computer Management - Share Security - No Read Access
On 2019-02-21 10:57 am, Rowland Penny via samba wrote:> On Thu, 21 Feb 2019 10:39:47 -0500 > Marco Shmerykowsky <marco at sce-engineers.com> wrote: > >> >> On 2019-02-20 7:12 am, Rowland Penny wrote: >> > On Wed, 20 Feb 2019 11:02:55 +0000 >> > Rowland Penny via samba <samba at lists.samba.org> wrote: >> > >> >> On Tue, 19 Feb 2019 22:05:12 +0000 >> >> Rowland Penny via samba <samba at lists.samba.org> wrote: >> >> >> >> > OK, it is late here, but just in case something has changed, I >> >> > will set up a new Debian 9 VM tommorrow, install the distro Samba >> >> > Packages and follow the Samba wiki page. >> >> > >> >> > Can you confirm that you are using Samba from Debian 9. >> >> > You seem to be using '/server' as the shared directory, is this >> >> > correct ? >> >> > What Windows version are you using ? (I know you may have already >> >> > said, but it saves me looking it up) >> >> > >> >> > Rowland >> >> > >> >> >> >> OK, it (as I expected) works, I will clean up my notes and send >> >> the OP a copy. >> >> >> >> Rowland >> >> Sorry to be a pain on this, but something just refuses to work >> as I would expect. I've tried the following: >> >> 1) remove the share definition from smb.conf >> 2) Restart smbd >> 3) Remove (delete) the share directory from Linux >> 4) Check "Computer Management" on windows - Share is Gone >> 5) mkdir -p /server/share-files >> 6) chown root:"Domain Admins" /server/share-files >> 7) chmod 0770 /server/share-files >> 8) getfacl /server/share-files >> -> permissions match 0770 >> 8) Restore (un-comment) share definition in smb.conf >> -> [share-files] >> -> path = /server/share-files >> -> read only = no >> 9) smbcontrol all reload-config >> 10) restart smbd > > If you do '9', you don't need to do '10'Expect both would achieve same. Figured it wouldn't hurt.> >> 11) Go into "Computer Management" on windows & get to >> "Shares" on machine253 >> >> Here is what I find odd. The "Share permissions" tab lists >> one of the groups I previously defined. It is not a windows >> "built-in" group. I created it using samba-tool on the AD. > > Ignore the 'shares' tab, just use the 'security' tab, for which a > better name would be 'NTFS permissions' > >> >> If I removed the share and then recreated it, I would expect >> a 'default' listing of groups. Instead I seem to be getting a >> previous "historical" group listing if I reuse the same >> share names or directory names. >> >> Two more things: >> >> After all of this clicking and changing, I do not get the >> '+' on the directory permissions. It still reads as a >> basic 0770. It seems having this in the share is critical >> to normal behavior. At least once that appeared on my >> other server - those shares started exhibiting normal >> behavior. >> >> Second, I've discovered that if I add the "Everyone" group >> to the "Share Permissions" then suddenly I can modify >> the Security tab. If I remove the "Everyone group" then >> it eventually reverts to giving me the following error: > > As I said above, ignore the 'Share' tab, leave 'Everyone' there. > I go now to update the wiki page (again).Just discovered that although I can access "Security" (ie NTFS Permissions) I get "Failed to enumerate objects in the containet. Access is denied" when I attempt to apply the changes.
Rowland Penny
2019-Feb-21 16:30 UTC
[Samba] Computer Management - Share Security - No Read Access
On Thu, 21 Feb 2019 11:12:05 -0500 Marco Shmerykowsky <marco at sce-engineers.com> wrote:> > On 2019-02-21 10:57 am, Rowland Penny via samba wrote: > > On Thu, 21 Feb 2019 10:39:47 -0500 > > Marco Shmerykowsky <marco at sce-engineers.com> wrote: > > > >> > >> On 2019-02-20 7:12 am, Rowland Penny wrote: > >> > On Wed, 20 Feb 2019 11:02:55 +0000 > >> > Rowland Penny via samba <samba at lists.samba.org> wrote: > >> > > >> >> On Tue, 19 Feb 2019 22:05:12 +0000 > >> >> Rowland Penny via samba <samba at lists.samba.org> wrote: > >> >> > >> >> > OK, it is late here, but just in case something has changed, I > >> >> > will set up a new Debian 9 VM tommorrow, install the distro > >> >> > Samba Packages and follow the Samba wiki page. > >> >> > > >> >> > Can you confirm that you are using Samba from Debian 9. > >> >> > You seem to be using '/server' as the shared directory, is > >> >> > this correct ? > >> >> > What Windows version are you using ? (I know you may have > >> >> > already said, but it saves me looking it up) > >> >> > > >> >> > Rowland > >> >> > > >> >> > >> >> OK, it (as I expected) works, I will clean up my notes and send > >> >> the OP a copy. > >> >> > >> >> Rowland > >> > >> Sorry to be a pain on this, but something just refuses to work > >> as I would expect. I've tried the following: > >> > >> 1) remove the share definition from smb.conf > >> 2) Restart smbd > >> 3) Remove (delete) the share directory from Linux > >> 4) Check "Computer Management" on windows - Share is Gone > >> 5) mkdir -p /server/share-files > >> 6) chown root:"Domain Admins" /server/share-files > >> 7) chmod 0770 /server/share-files > >> 8) getfacl /server/share-files > >> -> permissions match 0770 > >> 8) Restore (un-comment) share definition in smb.conf > >> -> [share-files] > >> -> path = /server/share-files > >> -> read only = no > >> 9) smbcontrol all reload-config > >> 10) restart smbd > > > > If you do '9', you don't need to do '10' > > Expect both would achieve same. Figured it wouldn't hurt.Well yes, it doesn't hurt, you just don't need to do both ;-)> > > > >> 11) Go into "Computer Management" on windows & get to > >> "Shares" on machine253 > >> > >> Here is what I find odd. The "Share permissions" tab lists > >> one of the groups I previously defined. It is not a windows > >> "built-in" group. I created it using samba-tool on the AD. > > > > Ignore the 'shares' tab, just use the 'security' tab, for which a > > better name would be 'NTFS permissions' > > > >> > >> If I removed the share and then recreated it, I would expect > >> a 'default' listing of groups. Instead I seem to be getting a > >> previous "historical" group listing if I reuse the same > >> share names or directory names. > >> > >> Two more things: > >> > >> After all of this clicking and changing, I do not get the > >> '+' on the directory permissions. It still reads as a > >> basic 0770. It seems having this in the share is critical > >> to normal behavior. At least once that appeared on my > >> other server - those shares started exhibiting normal > >> behavior. > >> > >> Second, I've discovered that if I add the "Everyone" group > >> to the "Share Permissions" then suddenly I can modify > >> the Security tab. If I remove the "Everyone group" then > >> it eventually reverts to giving me the following error: > > > > As I said above, ignore the 'Share' tab, leave 'Everyone' there. > > I go now to update the wiki page (again).I have updated the wiki page.> > Just discovered that although I can access "Security" (ie NTFS > Permissions) > I get "Failed to enumerate objects in the containet. Access is denied" > when I attempt to apply the changes. >If you followed document I sent you, it should work, but it looks like you are not following it fully, I never mentioned the 'Share Permissions' tab. Rowland
Possibly Parallel Threads
- Computer Management - Share Security - No Read Access
- Computer Management - Share Security - No Read Access
- Computer Management - Share Security - No Read Access
- Computer Management - Share Security - No Read Access
- Computer Management - Share Security - No Read Access