L.P.H. van Belle
2022-Mar-15 14:38 UTC
[Samba] Setting permissions on AD member file server
This just a mis configuration in rights. I'll get some text from Gregories previous mail. (*>> is me)>> This should fix it. >> setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/( > greg )> Do you mean -n/--no-mask [not -m - there is no -m switch]No, there IS -m (see man setfacl ) -m = modify.>> getfacl /abc-zfs-01/ad-shared-folders > (I gave this in the OP, but here it is again. The getfacl of the folder I'm trying to manage permission on - among others)# getfacl * # file: shared-files # owner: AD\\administrator # group: AD\\domain\040admins user::rwx group::rwx other::--- The parent has this facl # file: ad-shared-folders # owner: root # group: AD\\domain\040admins user::rwx group::rwx other::--- Now, if im user Administrator, what is my "primay group/default group" : "Domain Users" If im a random user, what is my "primay group/default group" : Exacly, again : "Domain Users" Whats missing in above. ;-) You have in my opinion 3 points to fix. 1) setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/ That allows you "Domain Users" to Read and Enter that folder and is inherit is enable, also sub folders. 2) but nobody can enter /abc-zfs-01 this is also why i really advice something like this. /srv/samba/dataShare (Normal shares here) /srv/samba/ ( samba$ as Admin share, you start here basicly.) **1 /srv/ **1 the "dataShare" is NOT made from linux, its make from windows, all rights are set from windows. If you want to set that from linux, that IS possible, but i suggest, setup one from windows. Then use getfacl and samba-tools ntacl get --as-sddl I used these to compair what i "see" in windows and what's "set" in linux. 3) [acl_xattr:ignore system acls = yes] you use this only in Users and Profiles or any share thats a windows only share. *( yeah, you can use it everywhere, but this is my advice) If you add/remove that, you MUST check and set rights again. So, this is what i have: getfacl /srv/ # file: /srv/ # owner: root # group: root user::rwx group::r-x other::r-x getfacl /srv/samba/ # file: /srv/samba/ # owner: root # group: root # flags: s-- user::rwx group::rwx other::r-x getfacl /srv/samba/companydataShare1/ # file: /srv/samba/companydataShare1/ # owner: root # group: root # flags: -st user::rwx user:root:rwx group::r-x group:root:r-x group:domain\040users:r-x group:domain\040admins:rwx mask::rwx other::r-x default:user::rwx default:user:root:rwx default:group::r-x default:group:root:r-x default:group:domain\040admins:rwx default:mask::rwx default:other::r-x Now from this point. /srv/samba/companydataShare1/ is basicly \\server\companydataShare1 The subfolders in companydataShare1 are set from windows. * and i backup all the subfolder rights with getfacl and samba-tool ntacl get --as-sddl Just because its handy to have is you need to re-apply all rights. *(tip see : https://raw.githubusercontent.com/thctlo/samba4/master/samba-setup-share-folders.sh I hope this helps. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Patrick Goetz via samba > Verzonden: dinsdag 15 maart 2022 14:58 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Setting permissions on AD member file server > > > > On 3/14/22 17:41, Gregory Sloop via samba wrote: > > I've had a little time to tinker and one thing I've found. > > > > Unless I have [acl_xattr:ignore system acls = yes] set, I > can't edit permissions at all. > > (I set it globally, though a share level setting would > probably work on a per-share basis.) > > > There must be another issue here. I have: > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > set in smb.conf and most certainly can edit permissions from Windows, > although this has also failed in some cases for reasons I > haven't been > able to pinpoint (but am guessing is related to the long path issue). > > > > > > > This seems to be a quasi-sideeffect of that setting? - in > short that setting overwrites/resets the posix permissions. > (Provided I understand discussions I've seen about it.) > > > > In this case the share will only be used by Windows users > via CIFS/Samba - so this may well "work" just fine and as a > happy side-effect, make the problem vanish. > > But I'd guess it's not really the "correct" fix. > > > > To that end, what would be the best way to reset the > permissions on the directories/files properly, removing all > the Samba ACL's etc? Once they are set as a baseline in POSIX > then we can tinker with Samba ACL's with the Windows > permissions again. (And remove acl_xattr:ignore system acls = yes) > > Adding on to this, I would like to completely reset all the Windows > permissions, since the filesystem permissions look good, but > resetting > permissions on some folders fails from Windows. If Windows 10 File > Explorer does not support long paths, then how would someone > use this to > reset permissions on deeply nested folders anyway? I've > determined that > at after a certain path length the security tab disappears from > Properties completely! > > > > > > > > > Rowland? > > > > (I'm not making any claims about "Administrators" vs > "Domain Admins" and permissions in this post. I'm simply > trying to deduce what's going on, and talk about a single > thing that make it work differently, perhaps more or less > inadvertently.) > > > > > > > >> On 12 March 2022 09:22 Rowland Penny wrote: > > > >>> On Fri, 2022-03-11 at 22:48 +0000, spindles seven via samba wrote: > > > >>>> On 11 March 2022 22:26 Rowland Penny wrote: > > > >>>>> I take it you found that out from here: > > > >>>>> > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2 > F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Wind > ows_AC&data=04%7C01%7C%7C4d95fe15883b49b0a63f08da060bdcf2% > 7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C63782894529508879 > 6%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi > LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3AGGfZStDR21zN > igyhb8prAhQLX2o96tlckw6Lzg%2FGs%3D&reserved=0 > >>>>> Ls#Addi > >>>>> ng_a_Share > > > >>>> Yes indeed. > >>>>> That is what I was getting at, it used to work. A > member of Domain > >>>>> Admins logged into Windows could change the permissions > on a share, > >>>>> provided everything was set up correctly on the Unix > domain member. > >>>>> I can now only do this with Administrator. > > > >>>>> Rowland > >>>> works for me (on version 4.15.5), so what's different? > >>> I am using 4.15.5 and it doesn't work for me, it used to, > but it doesn't any longer. > > > >>> Rowland > >> OK, so using a test installation of Debian Bullseye in a > VM and Samba 4.15.5, I left the domain and cleaned up the > samba database files as per the WiKi. ? I deleted the > existing folders ie /srv/samba and all sub folders. ? ? Using > that same page in the WiKi > (https://nam12.safelinks.protection.outlook.com/?url=https%3A% > 2F%2Fwiki.samba.org%2Findex.php%2FSetting_up_Samba_as_a_Domain > _Member&data=04%7C01%7C%7C4d95fe15883b49b0a63f08da060bdcf2 > %7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C6378289452950887 > 96%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI > iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=u1XD73sQR%2Fu > nckq8eRGjulNPWr2KSsjmpSHX0AWYBxs%3D&reserved=0) I joined > the domain. ? ?This is the smb.conf at that stage: > > > >> [global] > > > >> ? ? ? ? security = ADS > >> ? ? ? ? workgroup = MICROLYNX > >> ? ? ? ? realm = MICROLYNX.ORG > > > >> ? ? ? ? log file = /var/log/samba/%m.log > >> ? ? ? ? log level = 1 > > > >> ? ? ? ? winbind use default domain = yes > > > >> ? ? ? ? # Default idmap config used for BUILTIN and local > accounts/groups > >> ? ? ? ? idmap config *:backend = tdb > >> ? ? ? ? idmap config *:range = 2000-9999 > > > >> ? ? ? ? # idmap config for domain MICROLYNX > >> ? ? ? ? idmap config MICROLYNX:backend = rid > >> ? ? ? ? idmap config MICROLYNX:range = 10000-99999 > > > >> ? ? ? ? # next two lines for testing only - comment-out > once working ok > >> ? ? ? ? winbind enum users = yes > >> ? ? ? ? winbind enum groups = yes > > > >> ? ? ? ? template shell = /bin/bash > >> ? ? ? ? template homedir = /srv/samba/users/%U > > > >> ? ? ? ? vfs objects = acl_xattr > >> ? ? ? ? map acl inherit = yes > >> ? ? ? ? username map = /etc/samba/user.map > > > >> ? ? ? ? # allow administrator to access having been > mapped to root (uid 0) > >> ? ? ? ? min domain uid = 0 > >> =========> >> I then added shares [users] and [test] as follows: > > > >> [users] > >> ? ? ? ? # user homedirs > >> ? ? ? ? path = /srv/samba/users > >> ? ? ? ? read only = no > >> ? ? ? ? acl_xattr:ignore system acls = yes > > > >> [test] > >> ? ? ? ? path = /srv/samba/test > >> ? ? ? ? read only = no > > > >> I set the Unix permissions as follows: > >> chown root:"Domain Admins" /srv/samba/users > >> chown root:"Domain Admins" /srv/samba/test > >> chmod 0770 /srv/samba/users > >> chmod 0770 /srv/samba/test > > > >> I granted Domain Admins the SeDiskOperatorPrivilege on the > test server then attempted to set the permissions from > Windows using the WiKi page:? > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2 > F%2Fwiki.samba.org%2Findex.php%2FSetting_up_a_Share_Using_Wind > ows_ACLs&data=04%7C01%7C%7C4d95fe15883b49b0a63f08da060bdcf > 2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637828945295088 > 796%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMz > IiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FzGeiwpIaV > Y2Wlq57jl8xCiX6xBi7XZ%2BA9oH1Oqj7lA%3D&reserved=0 > > > >> I logged onto Windows 10 using a user who is a member of > Domain Admins and was able to set permissions correctly using > Computer Management on the [test] share, but not on the > [users] share; ? to allow the permissions to be applied from > windows initially, I had to temporarily comment out the > "acl_xattr:ignore system acls = yes" line and reload the smb > config. ?Once set, I removed the comment (#) from that line. > > > >> On the Users share I set: > >> Domain Admins ? Full Control ? ? ? ? ? ?This folder only > >> CREATOR OWNER ? Full Control ? ? ? ? ? ?Subfolders and files only > >> SYSTEM ?Full Control ? ? ? ? ? ?This folder, subfolders and files > >> Authenticated Users ? ? Special* ? ? ? ?This folder only > > > >> * Traverse folder/execute file, List folder/read data, > Read attributes, Read extended attributes, Create > folders/append data, Read permissions > > > >> The folder looks like this as seen from Linux: > >> root at m2test:~# ls -l /srv/samba > >> total 16 > >> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 test > >> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 users > >> root at m2test:~# getfacl /srv/samba/users > >> getfacl: Removing leading '/' from absolute path names > >> # file: srv/samba/users > >> # owner: root > >> # group: domain\040admins > >> user::rwx > >> user:root:rwx > >> user:domain\040admins:rwx > >> group::rwx > >> group:NT\040Authority\\authenticated\040users:rwx > >> group:NT\040Authority\\system:rwx > >> group:domain\040admins:rwx > >> mask::rwx > >> other::--- > >> default:user::rwx > >> default:user:root:rwx > >> default:group::--- > >> default:group:NT\040Authority\\system:rwx > >> default:group:domain\040admins:--- > >> default:mask::rwx > >> default:other::--- > > > >> So following the WiKi as close as possible, I am able to > set permissions using a Domain Admins account, not sure why > your system is preventing you? > > > >> Thanks for your invaluable help as always. > > > >> Roy > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Greg Sloop <gregs@sloop.net>
2022-Mar-15 16:27 UTC
[Samba] Setting permissions on AD member file server
> ( > greg ) > > Do you mean -n/--no-mask [not -m - there is no -m switch] > > No, there IS -m (see man setfacl ) -m = modify.Well, yes and no. setfacl -m g:"domain users":rx /abc-zfs-01/ad-shared-folders/shared-files setfacl: Option -m: Invalid argument near character 3 You're right, there is a -m (it's further down in the man file, and I didn't see it) but the syntax of that command is wrong. And when I did not see the -m in the "options" section I assumed the -m was a typo. I'll see what it's complaining about and if I can fix it. Since I'm not entirely sure what you're intending to do, I am not sure I'll get it right - and I know nothing of substance about setfacl.