Pisch Tam?s <pischta at gmail.com> ezt ?rta (id?pont: 2019. j?l. 4., Cs, 13:15):> > >OK, I set up Buster RC3 in a VM > Thanks a lot! > > >I could add 'Domain Admins' to the 'Properties' on the share without any > >problem. > :o > > > Back to Buster machine: > > root at dbrc3:~# ls -lad /home/users > > drwxrwx---+ 2 root SAMDOM\domain_users 4096 Jul 4 11:12 /home/users > > root at dbrc3:~# getfacl /home/users > > getfacl: Removing leading '/' from absolute path names > > # file: home/users > > # owner: root > > # group: SAMDOM\\domain_users > > user::rwx > > user:root:rwx > > user:10512:rwx > > user:10513:rwx > > group::rwx > > group:SAMDOM\\domain_admins:rwx > > group:SAMDOM\\domain_users:rwx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:user:10512:rwx > > default:group::r-x > > default:group:SAMDOM\\domain_admins:rwx > > default:group:SAMDOM\\domain_users:r-x > > default:mask::rwx > > default:other::r-x > > So we can scratch the 'acl' changes. > Ok. > > > you must have the 'acl' package installed to have 'getfacl', but is the > > 'attr' package installed ? > Yes. > getfattr users > # file: users > user.SAMBA_PAIUnbelievable: I remowed every settings from the samba shares, except path and read only in smb.conf. It turned out that I can set the fliesystem permissions of every share, except the users share! I checked the acls and xattrs of the folders. Only the users share had xattr entry. I deleted that setting, but it didn't help. I compared the acls of the other shares with the users share, but no difference. Is there users share related settings in smb.conf that maybe prohibit my access?
On 04/07/2019 13:52, Pisch Tam?s via samba wrote:> Pisch Tam?s <pischta at gmail.com> ezt ?rta (id?pont: 2019. j?l. 4., Cs, 13:15): >>> OK, I set up Buster RC3 in a VM >> Thanks a lot! >> >>> I could add 'Domain Admins' to the 'Properties' on the share without any >>> problem. >> :o >> >>> Back to Buster machine: >>> root at dbrc3:~# ls -lad /home/users >>> drwxrwx---+ 2 root SAMDOM\domain_users 4096 Jul 4 11:12 /home/users >>> root at dbrc3:~# getfacl /home/users >>> getfacl: Removing leading '/' from absolute path names >>> # file: home/users >>> # owner: root >>> # group: SAMDOM\\domain_users >>> user::rwx >>> user:root:rwx >>> user:10512:rwx >>> user:10513:rwx >>> group::rwx >>> group:SAMDOM\\domain_admins:rwx >>> group:SAMDOM\\domain_users:rwx >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:10512:rwx >>> default:group::r-x >>> default:group:SAMDOM\\domain_admins:rwx >>> default:group:SAMDOM\\domain_users:r-x >>> default:mask::rwx >>> default:other::r-x >>> So we can scratch the 'acl' changes. >> Ok. >> >>> you must have the 'acl' package installed to have 'getfacl', but is the >>> 'attr' package installed ? >> Yes. >> getfattr users >> # file: users >> user.SAMBA_PAI > Unbelievable: I remowed every settings from the samba shares, except > path and read only in smb.conf. It turned out that I can set the > fliesystem permissions of every share, except the users share! > I checked the acls and xattrs of the folders. Only the users share had > xattr entry. I deleted that setting, but it didn't help. I compared > the acls of the other shares with the users share, but no difference. > Is there users share related settings in smb.conf that maybe prohibit my access? >Not that I am aware. How are you creating the users share (/home/users/%U) ? Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Pisch Tam?s via samba....> > Unbelievable: I remowed every settings from the samba shares, except > path and read only in smb.conf. It turned out that I can set the > fliesystem permissions of every share, except the users share! > I checked the acls and xattrs of the folders. Only the users share had > xattr entry. I deleted that setting, but it didn't help. I compared > the acls of the other shares with the users share, but no difference. > Is there users share related settings in smb.conf that maybe > prohibit my access? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >No, these are just wrong rights on you file system. A simple test, set /home/users to 777, create a folder from within windows. Use getfacl to check the rights. Now, did you change the "share" security? One of you problems is, at least what could be, due to all the attempts your acl might be messed up. I was a bit buzy, still im but i saw you message on the debian bug list and here, so lets work through this. ( from yesterday. )>> There are 5 things you need to think in. >> 1) The folder rights >I havent used ACLs yet, I just followed Samba docs, and it says, I >shoud set folder rights from Windows, but I cannot.Yes, you used the samba docs, that good. https://wiki.samba.org/index.php/User_Home_Folders>> 2) The share rights >I've set it according to the Samba doc, try this.Remove domain users/change Remove domain admins/Full Add Everyone/Full ( or Authenticated Users/Full ) Just so you can test a bit.. And see which rights are set on created folders. Now even if the share security is set to everyone, as long as you dont set 777 on /home/users your fine here. Minimaal needed is 775, i preffer 771 But you can use this to test, set everything to 777 and see what a new folder gets with getfacl.>> 3) Posix or windows ACL's? ( use Windows ACL's my advice. ) >Yes, that's what I wanted too.Ok, good. And yes, we know we have to update the wiki. Most people do mix these up.>> 4) Dont forget the "Primary Group".No, the primary group, is windows is always ( by default ) Domain users, for every user ( even Administrator ) Where needed, and what i do recommend, if you use your windows users also within linux ( with ssh for example ), then do set the unix_primary group to "domain users". Then after that, use other groups to secure folders and use Creator Owner/Group to allow everyone to change files/folders in the folder. chmod 4770 gives creator owner and creator group> 5) If you use chmod, you must re-apply the windows ACL again onshare/security (file/folder) level. So, chmod resets the permissions. Thanks, good to know it. Best tip, try to learn getfacl setfacl. You can start a setup with chmod, then finish it from within windows. Then next email on the list. Short response on the smb.conf workgroup = A idmap config a : range = 10000-999999 I assume this is a typo, so this is really.. workgroup = A idmap config A : range = 10000-999999 Did you notice the A and a change, i dont know if, conflicts, but a thing i noticed. Then next email on the list.>> >> Run this : getfacl /home/users >> > getfacl: Removing leading '/' from absolute path names >> > # file: home/users >> > # owner: root >> > # group: A\\domain\040admins >> > user::rwx >> > user:root:rwx >> > user:10512:rwx >> > group::rwx >> > group:A\\domain\040admins:rwx >> > mask::rwx >> > other::--- >> > default:user::rwx >> > default:user:root:rwx >> > default:group::rwx >> > default:group:A\\domain\040admins:rwx >> > default:mask::rwx >> > default:other::--- >> >> Hmm, have you done something like running 'setfacl' on the directory ? >No.That most probley, happend after you changes a right from within windows. Check who user 10512 is and you know for sure. I suspect Adminstrator or Admin, if its Administrator ,then, the one should not have a UID. Next e-mail As concluded there is no problem with acl packages between buster and stretch. Next e-mail Now, last, if you want to run buster, thats fine, i do still recommend stretch untill buster is release. You can run stretch with 4.9.5 ( backported from buster ) or 4.9.11 ( out today, max few hours ). Or 4.10.5 Thats a bit up 2 you. And, as suggested, yes, i also recommend a higher samba version then the official debians. This is mainly because, a bit of debian policy, and the fast development of Samba. Debian is low on maintainers and im not ready yet to to also join the debian packagers. Thats why Rowland (and I) say, you could use higher samba package. ( my packages ). Rowland, send him the mkhomedir script, i dont believe this server is in production yet, so it a really good one to test it on. IF Pisch want to.. Greetz, Louis
On 04/07/2019 14:32, L. van Belle via samba wrote:> > > > No, these are just wrong rights on you file system. > > A simple test, set /home/users to 777, create a folder from within windows. > Use getfacl to check the rights. > > Now, did you change the "share" security? > > One of you problems is, at least what could be, due to all the attempts your > acl might be messed up. > > I was a bit buzy, still im but i saw you message on the debian bug list and > here, so lets work through this. >What message on the debian bug list ???? Rowland
L.P.H. van Belle
2019-Jul-04 13:40 UTC
[Samba] cannot set filesystem permissions on shares
Hai, Old bug, as in old samba (bugzilla) bug. samba-tool user create test pwd --surname Vezet?kn?v --givenname Keresztn?v I get the following error message: ERROR(<type 'exceptions.UnicodeDecodeError'>): Failed to add user 'teszttanar3': - 'ascii' codec can't decode byte 0xc3 in position 16: ordinal not in range(128) I tried to find it in bugzilla, but not yet found, then we can pass this to Debian. But this was, i believe a pretty big change due to python3. And, as far i can tell, i dont see it in my packages, so i know its fixed. It looks like : https://bugzilla.samba.org/show_bug.cgi?id=13616 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 4 juli 2019 15:36 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] cannot set filesystem permissions on shares > > On 04/07/2019 14:32, L. van Belle via samba wrote: > > > > > > > > No, these are just wrong rights on you file system. > > > > A simple test, set /home/users to 777, create a folder from > within windows. > > Use getfacl to check the rights. > > > > Now, did you change the "share" security? > > > > One of you problems is, at least what could be, due to all > the attempts your > > acl might be messed up. > > > > I was a bit buzy, still im but i saw you message on the > debian bug list and > > here, so lets work through this. > > > What message on the debian bug list ???? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 04/07/2019 14:32, L. van Belle via samba wrote:> >> No, these are just wrong rights on you file system. >> >> A simple test, set /home/users to 777, create a folder from within windows. >> Use getfacl to check the rights. >> >> Now, did you change the "share" security?From my knowledge, you do not need to change anything on the 'share' tab> > > Short response on the smb.conf > workgroup = A > idmap config a : range = 10000-999999 > > I assume this is a typo, so this is really.. > workgroup = A > idmap config A : range = 10000-999999 > > Did you notice the A and a change, i dont know if, conflicts, but a thing i > noticed.Don't think the case is a problem, if you run 'testparm', the DOMAIN is shown in lowercase.> > Then next email on the list. >>>>> Run this : getfacl /home/users >>>> getfacl: Removing leading '/' from absolute path names >>>> # file: home/users >>>> # owner: root >>>> # group: A\\domain\040admins >>>> user::rwx >>>> user:root:rwx >>>> user:10512:rwx >>>> group::rwx >>>> group:A\\domain\040admins:rwx >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:group::rwx >>>> default:group:A\\domain\040admins:rwx >>>> default:mask::rwx >>>> default:other::--- >>> Hmm, have you done something like running 'setfacl' on the directory ? >> No. > That most probley, happend after you changes a right from within windows. > Check who user 10512 is and you know for sure. > I suspect Adminstrator or Admin, if its Administrator ,then, the one should > not have a UID.It is Domain Admins.> Rowland, send him the mkhomedir script, i dont believe this server is in > production yet, so it a really good one to test it on. > IF Pisch want to..If he wants it, he can have it with pleasure. Rowland
Thanks Louis for the detailed answer. Tomorrow I will go through on it, but now I just want to write about one progress. Before I read your answer, I created a test share, I thought I will set it up as it would be the users share, and then I copy the acls to the users share, but it turned out that as I set the share permissions (write access to domain users, and full access to domain admins), I lost the ability to read the filesystem permissions. When I tried to give full access to the Administrator, it didn't help. Only helped that, when I give back the access to everyone for the share...
On 04/07/2019 14:56, Pisch Tam?s via samba wrote:> Thanks Louis for the detailed answer. Tomorrow I will go through on > it, but now I just want to write about one progress. Before I read > your answer, I created a test share, I thought I will set it up as it > would be the users share, and then I copy the acls to the users share, > but it turned out that as I set the share permissions (write access to > domain users, and full access to domain admins), I lost the ability to > read the filesystem permissions. When I tried to give full access to > the Administrator, it didn't help. Only helped that, when I give back > the access to everyone for the share... >Here it is in big letters: DO NOT TOUCH THE 'SHARE' TAB ON WINDOWS, THERE IS NO NEED! Rowland
L.P.H. van Belle
2019-Jul-04 14:28 UTC
[Samba] cannot set filesystem permissions on shares
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 4 juli 2019 16:05....> > > Here it is in big letters: > > DO NOT TOUCH THE 'SHARE' TAB ON WINDOWS, THERE IS NO NEED!That all depends on the setup and if you know that your doing, there is no problem with changing the share rights at all. And since most people dont like, that these shares are setup with everyone/full controle and on the wiki it shows: "domain users" Read "domain admins" Full Its a bit off to say dont touch the share tab... Now if the wiki is right, and if you follow it it works, then yes, i totaly agree, but today its not. By Default this is Everyone/Full (is/was, I dont know current stat of latest windows) i should check, but i just killed my building server. :-( aarrgg.. Only bionic i386 was todo, so i need to fix that first now. And with the bug(s) in samba, that groups and (nested groups) are not well read through winbind, ( i believe fixed now ), that is/was a problem. Which still might be in 4.9.5 on Debian buster. Thats why i asked him to try this. We know its normaly really not needed to change the share rights, thats correct but, again, it depends on what you want to use and how. Ps. @Rowland, Those caps are really not needed.. ;-) Ps2 in general, a good read : https://blog.netwrix.com/2018/05/03/differences-between-share-and-ntfs-permissions/ That might help people understanding the difference. Greetz, Louis
Firstly, Louis, and Rowland, thanks for your answers.> Yes, you used the samba docs, that good. > https://wiki.samba.org/index.php/User_Home_FoldersIt turned out, no :( I followed it, and it caused me some days to find out why I cannot set acls. Sorry Rowland for the lot of works for me, but I just followed the wiki.> Ps2 in general, a good read : https://blog.netwrix.com/2018/05/03/differences-between-share-and-ntfs-permissions/Thanks, I will read it today. @Louis do you have Samba repo for Debian 10? I hope Debian 10 will be stable soon, and I don't want to upgrade 4 servers in production, if I can avoid it. I have to move the test environment to production in august. @Rowland: I thank you, if you send me your mkhomedir script.
L.P.H. van Belle
2019-Jul-05 09:02 UTC
[Samba] cannot set filesystem permissions on shares
Hai Pisch, Yes, there is an repo for Debian Buster. I have not published it yet but if you want you can use it set up test environment. As it says on the apt.van-belle.nl site. ;-) ... Debian (10) Buster: Per 28-June 2018 in buster-experimental repo, when released to the public it will be this repo. Samba 4.10 is repo name : buster-samba410, current package list is empty You can test the debian buster samba 4.10.5 packages (amd64 only). These are still experimental and should not yet be used in production but you can test them out. You can find them link below in the experimental section, repo set for this below. These are marked as experimental because buster is not release. Things can change a bit so use with care. These packages have/are the same as the Debian Stretch 4.10 packages, use these for a production setup. ----------- THE REPO SETUP --------------- 1) Choose http or https for you apt, both work, for https you need to : apt-get install apt-transport-https 2) Import my public key wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add - 3) (optional) setup a header line for the repo file. echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list 4) Debian BUSTER with samba 4.10 EXPERIMENTAL echo "deb http://apt.van-belle.nl/debian buster-experimental main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list 4) Debian STRETCH with samba 4.10 PRODUCTION echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Pisch Tam?s via samba > Verzonden: vrijdag 5 juli 2019 9:31 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] cannot set filesystem permissions on shares > > Firstly, Louis, and Rowland, thanks for your answers. > > > Yes, you used the samba docs, that good. > > https://wiki.samba.org/index.php/User_Home_Folders > It turned out, no :( I followed it, and it caused me some days to find > out why I cannot set acls. Sorry Rowland for the lot of works for me, > but I just followed the wiki. > > > Ps2 in general, a good read : > https://blog.netwrix.com/2018/05/03/differences-between-share- > and-ntfs-permissions/ > Thanks, I will read it today. > > @Louis do you have Samba repo for Debian 10? I hope Debian 10 will be > stable soon, and I don't want to upgrade 4 servers in production, if I > can avoid it. I have to move the test environment to production in > august. > > @Rowland: I thank you, if you send me your mkhomedir script. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- cannot set filesystem permissions on shares
- cannot set filesystem permissions on shares
- Upgrading from Debian Stretch to Buster, Van Belle package
- Upgrading from Debian Stretch to Buster, Van Belle package
- Debian Stretch Samba 4.9.11 ( updated) and 4.10.6 (new) amd64/i386 Available now.