Hai,
If people remove Everyone on the shares then most are missing at least
"Walkthrough" rights (x) on the folder before the share this this
happens.
For example users SYSTEM will get in problems (when and if its used, like at
logon and when group policies are processed"
If i look at this test folder.
drwxrwxrwx 3 root domain admins 4096 Jun 30 08:03 test05
I dont see any "windows" rights...(+)
So what is getfacl telling.
I would like to see:
drwxrwxrwx+ 3 root domain admins 4096 Jun 30 08:03 test05
^^^
Also, When people remove Everyone as the TP showed.
Share Permissions set for Everyone Full Control
Security - Object Name: \\PROTO\test05
Groups or usernames: (none have any Allowed permissions.)
Everyone
root [Unix User\root]
Creator Owner <- these are missing also compaired to the windows setup.
Which is chmod 17xx
Creator Group <-
Which is chmod 377x
Creator Owner + group
Which is chmod 477x
> We have tested with several shares and sequences with the same result.
Yes, and the question also, are xattr and acl installed?
dpkg -l | egrep "xattr|acl"
What i advice, to get a better understanding of the rights. Run this:
for x in 0 1 3 4 5 7
do
install -d /data/samba/test$x-0 -o root -g "domain users" -m
"${x}"770
install -d /data/samba/test$x-1 -o root -g "domain users" -m
"${x}"771
install -d /data/samba/test$x-5 -o root -g "domain users" -m
"${x}"771
install -d /data/samba/test$x-5 -o root -g "domain users" -m
"${x}"775
install -d /data/samba/test$x-7 -o root -g "domain users" -m
"${x}"777
done
Add 2 shares /data/samba in smb.conf
With with acl_xattr:ignore system acl = yes and one without that.
Now after these are created, go lookup all the rights through the security tab.
See the difference in windows.
And do this with a test share, one with everyone full and your adjusted share
setup.
If you adjusting rights, do this only from withing windows or use setfacl
After that all above, only one more thing.
The "Primary Group", remember this is "ALWAYS" "domain
users"
I hope this explains better where these things are going wrong.
Should we see a crash with that security tab, no, but its just due to an
"incorrect" rights setup.
Should it crash, now, but its easy to avoid.
The sample of my folder structure.
/home/samba \\server\samba$ root:domain admins 3751 Only Administrators are
allowed here to create subfolders/adjust acls in the base BEFORE the share
entry.
I use this share to manage/create new basefolders (shares) with user
Adminsitrator. ( like companydata share )
/home/samba/companydata \\server\companydata root:domain admins 3771 ! Only
Administrators are allowed to create subfolders IN the base share.
In /home/samba/companydata/department1 root:domain admins 3770 + the
department group
primary group will use "domain users" for group write control, and
makes sure everyone is allowed to write/override the files.
The "department1" group is for the access security for the folder,
not for file/folder right control.
Shares where you need to install from or needs GPO things, add SYSTEM.
A user/computer policy is applied by the SYSTEM impersonating the real users for
example.
I hope i explained this correctly and understandable.
Just take some time to test this so you can see what fits best with your setup.
Mine dont have to be the correct one for you, but testing it as shown, will help
you in finding yours.
Good luck testing above, i'm 100% sure you will learn from it. ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jeremy Allison via samba
> Verzonden: dinsdag 30 juni 2020 19:29
> Aan: Enrico Morelli
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Users, home directories and profiles
>
> On Tue, Jun 30, 2020 at 02:41:46PM +0200, Enrico Morelli via
> samba wrote:
> > On Tue, 30 Jun 2020 11:01:27 +0100
> > Rowland penny via samba <samba at lists.samba.org> wrote:
> >
> > > On 30/06/2020 10:40, Enrico Morelli via samba wrote:
> > > > At the end I'll to abandon samba :-((
> > > > I'm really sad
> > >
> > > One last thought, have you touched the 'share' tab ?
> > >
> > > For instance, have you removed 'Everyone' from it ?
> > >
> > > If so, put it back.
> > >
> > > Rowland
> > >
> > >
> > >
> >
> > Everyone is present. Clicking on the security tab, the window crash.
>
> The window crashing is a Windows bug. Whatever we send it
> shouldn't do that. Do you have a wireshark trace of the
> SMB2 reply that crashes the tab ?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>