On 19/10/2022 17:25, Stefan G. Weichinger via samba wrote:> Am 19.10.22 um 14:39 schrieb Rowland Penny via samba: >> >> >> On 17/10/2022 16:52, Stefan G. Weichinger via samba wrote: >>> >>> Trying to edit the permissions of samba-4.5.x from a Windows server >>> management console. >> >> Samba 4.5.x ??? >> >>> >>> Getting "no access" as domain admin. >>> >>> Does that relate to that security policy issue back then (accessing >>> the shares also doesn't work)? >>> >>> I need to deny a specific AD user group access to samba-shares and as >>> far as I know editing the ACLs and/or share permissions from Windows >>> is the recommended way. >>> >>> Any recommendations here? >> >> If it is 4.5.x , I think you know what is coming, upgrade Samba, your >> version is ancient. > > Oh, I am sorry, no .. I don't know how that could happen. > > I thought 4.16.5, wanted to write 4.16.x to avoid the minor release and > failed completely.Don't worry, I do similar things all the time, I know what I want to type, but it doesn't always get through to my fingers, I think it is called old age ;-)> > 4.16.4 it is ...In which case it should work, so lets start with the smb.conf and the permissions set on the shares path. Rowland
Stefan G. Weichinger
2022-Oct-20 08:28 UTC
[Samba] editing samba-share ACLs etc from Windows
Am 19.10.22 um 19:07 schrieb Rowland Penny via samba:> > > On 19/10/2022 17:25, Stefan G. Weichinger via samba wrote: >> I thought 4.16.5, wanted to write 4.16.x to avoid the minor release >> and failed completely. > > Don't worry, I do similar things all the time, I know what I want to > type, but it doesn't always get through to my fingers, I think it is > called old age ;-)Ah, that could be, yes ;-)> In which case it should work, so lets start with the smb.conf and the > permissions set on the shares path.This is a smb.conf the list has seen several times already ;-) Debian 11.5, btw I quote the conf, and only the main share for a first view. And I edit the realm etc This is a grown config over years, so there are many commented lines in there already. -> # cat /etc/samba/smb.conf # This file is managed remotely, all changes will be lost [global] workgroup = BUERO realm = MYDOM.AT netbios name = SERVER security = ADS map to guest = Bad User username map = /etc/samba/smbusers dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes #winbind enum users = Yes #winbind enum groups = Yes winbind use default domain = yes winbind offline logon = yes # Use settings from AD for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /mnt/samba/Daten/%U # obsolete with 4.8.x #map untrusted to domain = Yes #winbind trusted domains only = no # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain BUERO idmap config BUERO:backend = rid idmap config BUERO:range = 10000-99999 load printers = no printing = bsd printcap name = /dev/null # turn off roaming profiles logon path = "" logon home = "" hosts allow = localhost 192.168.16. 172.32.99. log level = 1 log file = /var/log/samba/%m.log max log size = 150000 # server min protocol = SMB2 # server max protocol = SMB2 #strict sync = yes # ACLs store dos attributes = Yes map acl inherit = Yes #vfs objects = acl_xattr full_audit vfs objects = acl_xattr # Audit settings full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice # 2021-dec-30 allow domain admin in min domain uid = 0 [homes] comment = Home Directory guest ok = no read only = no valid users = %S invalid users = root, bin, daemon, adm, sync, shutdown, halt, mailnewsuucp, operator browseable = No [daten] comment = Daten path = /mnt/samba/ read only = No create mask = 0775 directory mask = 02775 force directory mode = 0775 #wide links = yes #veto oplock files = /*.DAT/*.dat/ #oplocks = False #level2 oplocks = False