L.P.H. van Belle
2019-Jul-04 14:28 UTC
[Samba] cannot set filesystem permissions on shares
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 4 juli 2019 16:05....> > > Here it is in big letters: > > DO NOT TOUCH THE 'SHARE' TAB ON WINDOWS, THERE IS NO NEED!That all depends on the setup and if you know that your doing, there is no problem with changing the share rights at all. And since most people dont like, that these shares are setup with everyone/full controle and on the wiki it shows: "domain users" Read "domain admins" Full Its a bit off to say dont touch the share tab... Now if the wiki is right, and if you follow it it works, then yes, i totaly agree, but today its not. By Default this is Everyone/Full (is/was, I dont know current stat of latest windows) i should check, but i just killed my building server. :-( aarrgg.. Only bionic i386 was todo, so i need to fix that first now. And with the bug(s) in samba, that groups and (nested groups) are not well read through winbind, ( i believe fixed now ), that is/was a problem. Which still might be in 4.9.5 on Debian buster. Thats why i asked him to try this. We know its normaly really not needed to change the share rights, thats correct but, again, it depends on what you want to use and how. Ps. @Rowland, Those caps are really not needed.. ;-) Ps2 in general, a good read : https://blog.netwrix.com/2018/05/03/differences-between-share-and-ntfs-permissions/ That might help people understanding the difference. Greetz, Louis
On 04/07/2019 15:28, L.P.H. van Belle via samba wrote:> > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: donderdag 4 juli 2019 16:05 > .... >> Here it is in big letters: >> >> DO NOT TOUCH THE 'SHARE' TAB ON WINDOWS, THERE IS NO NEED! > That all depends on the setup and if you know that your doing, there is no problem with changing the share rights at all. > And since most people dont like, that these shares are setup with everyone/full controle and on the wiki it shows: > "domain users" Read > "domain admins" Full > > Its a bit off to say dont touch the share tab... > Now if the wiki is right, and if you follow it it works, then yes, i totaly agree, but today its not. > > By Default this is Everyone/Full (is/was, I dont know current stat of latest windows) i should check, > but i just killed my building server. :-( aarrgg.. > Only bionic i386 was todo, so i need to fix that first now. > > And with the bug(s) in samba, that groups and (nested groups) are not well read through winbind, ( i believe fixed now ), that is/was a problem. > Which still might be in 4.9.5 on Debian buster. Thats why i asked him to try this. > > We know its normaly really not needed to change the share rights, thats correct but, > again, it depends on what you want to use and how. > > Ps. @Rowland, Those caps are really not needed.. ;-) > > Ps2 in general, a good read : https://blog.netwrix.com/2018/05/03/differences-between-share-and-ntfs-permissions/ > That might help people understanding the difference. > > > > Greetz, > > Louis > > >The thing is that it seems that every time this problem comes up, it comes down to 'everyone' being removed from the 'share' tab. Now I never have this problem, but then I never touch the 'share' tab. From what you saying, if you remove 'everyone' from the share tab, you must replace it with 'domain user', so why bother ? Rowland
L.P.H. van Belle
2019-Jul-04 14:50 UTC
[Samba] cannot set filesystem permissions on shares
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 4 juli 2019 16:38 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] cannot set filesystem permissions on shares > > On 04/07/2019 15:28, L.P.H. van Belle via samba wrote: > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Rowland penny via samba > >> Verzonden: donderdag 4 juli 2019 16:05 > > .... > >> Here it is in big letters: > >> > >> DO NOT TOUCH THE 'SHARE' TAB ON WINDOWS, THERE IS NO NEED! > > That all depends on the setup and if you know that your > doing, there is no problem with changing the share rights at all. > > And since most people dont like, that these shares are > setup with everyone/full controle and on the wiki it shows: > > "domain users" Read > > "domain admins" Full > > > > Its a bit off to say dont touch the share tab... > > Now if the wiki is right, and if you follow it it works, > then yes, i totaly agree, but today its not. > > > > By Default this is Everyone/Full (is/was, I dont know > current stat of latest windows) i should check, > > but i just killed my building server. :-( aarrgg.. > > Only bionic i386 was todo, so i need to fix that first now. > > > > And with the bug(s) in samba, that groups and (nested > groups) are not well read through winbind, ( i believe fixed > now ), that is/was a problem. > > Which still might be in 4.9.5 on Debian buster. Thats why > i asked him to try this. > > > > We know its normaly really not needed to change the share > rights, thats correct but, > > again, it depends on what you want to use and how. > > > > Ps. @Rowland, Those caps are really not needed.. ;-) > > > > Ps2 in general, a good read : > https://blog.netwrix.com/2018/05/03/differences-between-share- > and-ntfs-permissions/ > > That might help people understanding the difference. > > > > > > > > Greetz, > > > > Louis > > > > > > > The thing is that it seems that every time this problem comes up, it > comes down to 'everyone' being removed from the 'share' tab. > Now I never > have this problem, but then I never touch the 'share' tab. > > From what you saying, if you remove 'everyone' from the > share tab, you > must replace it with 'domain user', so why bother ? > > Rowland >> why bother ?If it hits security i alway think about it. because im obligated todo so. ( due my job ) And .. well, that depends also, some might want to use "authenticated user" and not "domain users" and/or not Everyone for example. I can't just say, "Everyone/FullControl" is fine, no, it really depends on what the standards of the user/company are. Yes, its fine to start with, so you know what your doing and start learning the 2 acls. (share/security)> From what you saying, if you remove 'everyone' from the share tab, you must replace it with 'domain user', so why bother ?No, what i did say to Pisch, was, remove "dom admins and dom user" and add everyone back. Because i think that "older bug" is the problem here. And thats simpley found by useing on the share Everyone/FULL Cont. Greetz, Louis
On 04/07/2019 15:50, L.P.H. van Belle via samba wrote>> The thing is that it seems that every time this problem comes up, it >> comes down to 'everyone' being removed from the 'share' tab. >> Now I never >> have this problem, but then I never touch the 'share' tab. >> >> From what you saying, if you remove 'everyone' from the >> share tab, you >> must replace it with 'domain user', so why bother ? >> >> Rowland >> >> why bother ? > If it hits security i alway think about it. because im obligated todo so. ( due my job )No, I meant, why change it, there isn't (to me) much difference between 'everyone' and the members of 'Domain Users', or am I missing something ?> And .. well, that depends also, some might want to use "authenticated user" and not "domain users" and/or not Everyone for example. > I can't just say, "Everyone/FullControl" is fine, no, it really depends on what the standards of the user/company are. > Yes, its fine to start with, so you know what your doing and start learning the 2 acls. (share/security)From the Samba point of view, I think saying "you shouldn't have to change anything on the share tab" is OK, but perhaps adding a link to further reading on the subject may be a good thing.> >> From what you saying, if you remove 'everyone' from the share tab, you must replace it with 'domain user', so why bother ? > No, what i did say to Pisch, was, remove "dom admins and dom user" and add everyone back. > Because i think that "older bug" is the problem here. > And thats simpley found by useing on the share Everyone/FULL Cont.Understood ;-) Rowland