Edouard Guigné
2019-Jun-21 16:41 UTC
[Samba] Samba winbind on centos 7 - "domain users" acls added
hello, My 2nd issue is about acls which are added by "Domain users". May you help me to solve it again ? Concerning this issue, on my samba share, I set permissions for the share "groups" located on /var/datashared for "domain admins" (rwx) and "domain users" (r-x) /var]# getfacl datashared/ # file: datashared/ # owner: root # group: root user::rwx group::r-x group:MYDOMAIN\134admins\040du\040domaine:rwx group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x mask::rwx other::--- default:user::rwx default:group::r-x default:group://MYDOMAIN\134admins\040du\040domaine:rwx default:mask::rwx default:other::---/ /+ # chmod 0770 /var/datashared/ As you can see acls for "Domain users" are not in default acls I create a TESTIT folder (on /var/datashared) ; the owner of the is user "MYDOMAIN\mydomainadmin" "mydomainadmin" is part of the "domain admins" group. /# getfacl TESTIT/// //# file: TESTIT/// //*# owner: MYDOMAIN\*//*mydomainadmin # group: *//*MYDOMAIN**\134admins\040du\040domaine* user::rwx group::r-x *group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx* mask::rwx other::--- default:user::rwx default:group::r-x *default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*// //default:mask::rwx// //default:other::---/ I connect as mydomainadmin on Windows 7, and start to change acls : I remove "everybody" and I add group "informatique" with "total control" to security tab of TESTIT On linux, it shows : /# getfacl TESTIT/// //# file: TESTIT/// //*# owner: *//*MYDOMAIN\*//*mydomainadmin # group: *//*MYDOMAIN**\134admins\040du\040domaine* user::rwx user://*MYDOMAIN*\//*mydomainadmin*:rwx group::rwx *group:*//*MYDOMAIN\134admins\040du\040domaine:rwx group:*//*MYDOMAIN**\134informatique:rwx* mask::rwx other::--- default:user::rwx *default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx* default:group::r-x *default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx default:group:*//*MYDOMAIN*//*\134informatique:rwx*// //default:mask::rwx// //default:other::---/ Now, I logon in windows 7 as *usertest *(*primary group is "Domain users" *and is part of the group "informatique"). I create a folder TEST in TESTIT. I get this acls on TEST folder : /# getfacl TEST/ # file: TEST/ *# owner: **MYDOMAIN**\**usertest ** **# group: **MYDOMAIN**\134utilisateurs\040du\040domaine* user::rwx user:*MYDOMAIN*\usertest :rwx group::r-x *group:**MYDOMAIN**\134admins\040du\040domaine:rwx** **group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x** **group:**MYDOMAIN**\134informatique:rwx* mask::rwx other::--- default:user::rwx *default:user:**MYDOMAIN**\**usertest **:rwx* default:group::r-x *default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx** **default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x** **default:group:**MYDOMAIN**\134informatique:rwx* default:mask::rwx default:other::---/ Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and "*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are added ? I was expected to not get these acls... concerning "domain users" because the folder TESTIT have no default "Domain users" acls. Don't want them... Is there a way to change this behaviour ? Edouard
Rowland penny
2019-Jun-21 16:46 UTC
[Samba] Samba winbind on centos 7 - "domain users" acls added
On 21/06/2019 17:41, Edouard Guign? via samba wrote:> hello, > > My 2nd issue is about acls which are added by "Domain users". > May you help me to solve it again ? > > Concerning this issue, on my samba share, I set permissions for the > share "groups" located on /var/datashared for "domain admins" (rwx) > and "domain users" (r-x) > /var]# getfacl datashared/ > # file: datashared/ > # owner: root > # group: root > user::rwx > group::r-x > group:MYDOMAIN\134admins\040du\040domaine:rwx > group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x > mask::rwx > other::--- > default:user::rwx > default:group::r-x > default:group://MYDOMAIN\134admins\040du\040domaine:rwx > default:mask::rwx > default:other::---/ > > /+ # chmod 0770 /var/datashared/ > > As you can see acls for "Domain users" are not in default acls > > I create a TESTIT folder (on /var/datashared) ; the owner of the is > user "MYDOMAIN\mydomainadmin" > "mydomainadmin" is part of the "domain admins" group. > /# getfacl TESTIT/// > //# file: TESTIT/// > //*# owner: MYDOMAIN\*//*mydomainadmin > # group: *//*MYDOMAIN**\134admins\040du\040domaine* > user::rwx > group::r-x > *group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx* > mask::rwx > other::--- > default:user::rwx > default:group::r-x > *default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*// > //default:mask::rwx// > //default:other::---/ > > I connect as mydomainadmin on Windows 7, and start to change acls : > I remove "everybody" > and > I add group "informatique" with "total control" to security tab of TESTIT > > On linux, it shows : > /# getfacl TESTIT/// > //# file: TESTIT/// > //*# owner: *//*MYDOMAIN\*//*mydomainadmin > # group: *//*MYDOMAIN**\134admins\040du\040domaine* > user::rwx > user://*MYDOMAIN*\//*mydomainadmin*:rwx > group::rwx > *group:*//*MYDOMAIN\134admins\040du\040domaine:rwx > group:*//*MYDOMAIN**\134informatique:rwx* > mask::rwx > other::--- > default:user::rwx > *default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx* > default:group::r-x > *default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx > default:group:*//*MYDOMAIN*//*\134informatique:rwx*// > //default:mask::rwx// > //default:other::---/ > > Now, I logon in windows 7 as *usertest *(*primary group is "Domain > users" *and is part of the group "informatique"). > I create a folder TEST in TESTIT. > I get this acls on TEST folder : > /# getfacl TEST/ > # file: TEST/ > *# owner: **MYDOMAIN**\**usertest ** > **# group: **MYDOMAIN**\134utilisateurs\040du\040domaine* > user::rwx > user:*MYDOMAIN*\usertest :rwx > group::r-x > *group:**MYDOMAIN**\134admins\040du\040domaine:rwx** > **group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x** > **group:**MYDOMAIN**\134informatique:rwx* > mask::rwx > other::--- > default:user::rwx > *default:user:**MYDOMAIN**\**usertest **:rwx* > default:group::r-x > *default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx** > **default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x** > **default:group:**MYDOMAIN**\134informatique:rwx* > default:mask::rwx > default:other::---/ > > Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and > "*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are > added ? > I was expected to not get these acls... concerning "domain users" > because the folder TESTIT have no default "Domain users" acls. > Don't want them... > Is there a way to change this behaviour ? > > EdouardAre you following this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Edouard Guigné
2019-Jun-21 18:13 UTC
[Samba] Samba winbind on centos 7 - "domain users" acls added
Hello, I add my domainadminuser to get SeDiskOperatorPrivilege. # net rpc rights list privileges SeDiskOperatorPrivilege -U "MYDOMAIN\domainadminuser" Enter MYDOMAIN\domainadminuser's password: SeDiskOperatorPrivilege: ? BUILTIN\Administrators ? MYDOMAIN\domainadminuser du domaine But then from Computer Management, I get "connexion refused" when I try to change permissions on my share "groups". I will continue on monday... Thank a lot for help Le 21/06/2019 ? 13:46, Rowland penny via samba a ?crit?:> On 21/06/2019 17:41, Edouard Guign? via samba wrote: >> hello, >> >> My 2nd issue is about acls which are added by "Domain users". >> May you help me to solve it again ? >> >> Concerning this issue, on my samba share, I set permissions for the >> share "groups" located on /var/datashared for "domain admins" (rwx) >> and "domain users" (r-x) >> /var]# getfacl datashared/ >> # file: datashared/ >> # owner: root >> # group: root >> user::rwx >> group::r-x >> group:MYDOMAIN\134admins\040du\040domaine:rwx >> group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:group::r-x >> default:group://MYDOMAIN\134admins\040du\040domaine:rwx >> default:mask::rwx >> default:other::---/ >> >> /+ # chmod 0770 /var/datashared/ >> >> As you can see acls for "Domain users" are not in default acls >> >> I create a TESTIT folder (on /var/datashared) ; the owner of the is >> user "MYDOMAIN\mydomainadmin" >> "mydomainadmin" is part of the "domain admins" group. >> /# getfacl TESTIT/// >> //# file: TESTIT/// >> //*# owner: MYDOMAIN\*//*mydomainadmin >> # group: *//*MYDOMAIN**\134admins\040du\040domaine* >> user::rwx >> group::r-x >> *group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx* >> mask::rwx >> other::--- >> default:user::rwx >> default:group::r-x >> *default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*// >> //default:mask::rwx// >> //default:other::---/ >> >> I connect as mydomainadmin on Windows 7, and start to change acls : >> I remove "everybody" >> and >> I add group "informatique" with "total control" to security tab of >> TESTIT >> >> On linux, it shows : >> /# getfacl TESTIT/// >> //# file: TESTIT/// >> //*# owner: *//*MYDOMAIN\*//*mydomainadmin >> # group: *//*MYDOMAIN**\134admins\040du\040domaine* >> user::rwx >> user://*MYDOMAIN*\//*mydomainadmin*:rwx >> group::rwx >> *group:*//*MYDOMAIN\134admins\040du\040domaine:rwx >> group:*//*MYDOMAIN**\134informatique:rwx* >> mask::rwx >> other::--- >> default:user::rwx >> *default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx* >> default:group::r-x >> *default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx >> default:group:*//*MYDOMAIN*//*\134informatique:rwx*// >> //default:mask::rwx// >> //default:other::---/ >> >> Now, I logon in windows 7 as *usertest *(*primary group is "Domain >> users" *and is part of the group "informatique"). >> I create a folder TEST in TESTIT. >> I get this acls on TEST folder : >> /# getfacl TEST/ >> # file: TEST/ >> *# owner: **MYDOMAIN**\**usertest ** >> **# group: **MYDOMAIN**\134utilisateurs\040du\040domaine* >> user::rwx >> user:*MYDOMAIN*\usertest :rwx >> group::r-x >> *group:**MYDOMAIN**\134admins\040du\040domaine:rwx** >> **group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x** >> **group:**MYDOMAIN**\134informatique:rwx* >> mask::rwx >> other::--- >> default:user::rwx >> *default:user:**MYDOMAIN**\**usertest **:rwx* >> default:group::r-x >> *default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx** >> **default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x** >> **default:group:**MYDOMAIN**\134informatique:rwx* >> default:mask::rwx >> default:other::---/ >> >> Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and >> "*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are >> added ? >> I was expected to not get these acls... concerning "domain users" >> because the folder TESTIT have no default "Domain users" acls. >> Don't want them... >> Is there a way to change this behaviour ? >> >> Edouard > > Are you following this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Rowland > > >
Edouard Guigné
2019-Jun-24 12:49 UTC
[Samba] Samba winbind on centos 7 - "domain users" acls added
Hello, All is working fine now, even the connexion via "Computer management". I could set permissions with it. I remove all access to "everybody" group on my share, and add access for "Domain admins" and "Domain users"... One last thing that I notice is that anonymous connexions are possible (without login password, with a "net use S: \\myssambaserver\myshare") But then, nothing is possible of course because no permissions to "everybody" are set on the share. How to disable anonymous connexions ? I would only enable share access for user with userlogin / password. Edouard Le 21/06/2019 ? 13:46, Rowland penny via samba a ?crit?:> On 21/06/2019 17:41, Edouard Guign? via samba wrote: >> hello, >> >> My 2nd issue is about acls which are added by "Domain users". >> May you help me to solve it again ? >> >> Concerning this issue, on my samba share, I set permissions for the >> share "groups" located on /var/datashared for "domain admins" (rwx) >> and "domain users" (r-x) >> /var]# getfacl datashared/ >> # file: datashared/ >> # owner: root >> # group: root >> user::rwx >> group::r-x >> group:MYDOMAIN\134admins\040du\040domaine:rwx >> group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:group::r-x >> default:group://MYDOMAIN\134admins\040du\040domaine:rwx >> default:mask::rwx >> default:other::---/ >> >> /+ # chmod 0770 /var/datashared/ >> >> As you can see acls for "Domain users" are not in default acls >> >> I create a TESTIT folder (on /var/datashared) ; the owner of the is >> user "MYDOMAIN\mydomainadmin" >> "mydomainadmin" is part of the "domain admins" group. >> /# getfacl TESTIT/// >> //# file: TESTIT/// >> //*# owner: MYDOMAIN\*//*mydomainadmin >> # group: *//*MYDOMAIN**\134admins\040du\040domaine* >> user::rwx >> group::r-x >> *group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx* >> mask::rwx >> other::--- >> default:user::rwx >> default:group::r-x >> *default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*// >> //default:mask::rwx// >> //default:other::---/ >> >> I connect as mydomainadmin on Windows 7, and start to change acls : >> I remove "everybody" >> and >> I add group "informatique" with "total control" to security tab of >> TESTIT >> >> On linux, it shows : >> /# getfacl TESTIT/// >> //# file: TESTIT/// >> //*# owner: *//*MYDOMAIN\*//*mydomainadmin >> # group: *//*MYDOMAIN**\134admins\040du\040domaine* >> user::rwx >> user://*MYDOMAIN*\//*mydomainadmin*:rwx >> group::rwx >> *group:*//*MYDOMAIN\134admins\040du\040domaine:rwx >> group:*//*MYDOMAIN**\134informatique:rwx* >> mask::rwx >> other::--- >> default:user::rwx >> *default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx* >> default:group::r-x >> *default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx >> default:group:*//*MYDOMAIN*//*\134informatique:rwx*// >> //default:mask::rwx// >> //default:other::---/ >> >> Now, I logon in windows 7 as *usertest *(*primary group is "Domain >> users" *and is part of the group "informatique"). >> I create a folder TEST in TESTIT. >> I get this acls on TEST folder : >> /# getfacl TEST/ >> # file: TEST/ >> *# owner: **MYDOMAIN**\**usertest ** >> **# group: **MYDOMAIN**\134utilisateurs\040du\040domaine* >> user::rwx >> user:*MYDOMAIN*\usertest :rwx >> group::r-x >> *group:**MYDOMAIN**\134admins\040du\040domaine:rwx** >> **group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x** >> **group:**MYDOMAIN**\134informatique:rwx* >> mask::rwx >> other::--- >> default:user::rwx >> *default:user:**MYDOMAIN**\**usertest **:rwx* >> default:group::r-x >> *default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx** >> **default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x** >> **default:group:**MYDOMAIN**\134informatique:rwx* >> default:mask::rwx >> default:other::---/ >> >> Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and >> "*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are >> added ? >> I was expected to not get these acls... concerning "domain users" >> because the folder TESTIT have no default "Domain users" acls. >> Don't want them... >> Is there a way to change this behaviour ? >> >> Edouard > > Are you following this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Rowland > > >