@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
In my quest to move to a Linux Samba share based on groups, I used Obsolece's Samba with MS A/D instructions to create my test server, but am still having issues with using nested A/D groups.
I stuck to the instructions in the link except for entering in my own Domain info and shared folder information.
Over the last few days, I have done a bunch of reading and google searches plus help from https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, I am still SOL.
I am trying to configure a share called /data/fax with the following permission:
NTFS Permissions on linuxfax\FAX share:
Share Permissions = Everyone FULL
ACL_FAX_Create - ONLY Create Folders / append data,
Applies to: This folder only.
ACL_FAX_List - Traverse folder, List folder, Read
Applies to: This folder only.
ACL_FAX_Full - Full Control
Applies to: "This folder, subfolders and files."
CREATOR OWNER: Full Control
Applies to: "Subfolders and files only."
Users in ACL_FAX_Full group are fine but can get in all folders (bad)
User in just FaxUser Group (Contains ACL_FAX_Create and ..List groups) cannot add a folder in /data/fax/ for themselves.
id
[email protected] - shows all groups/nested groups
I had to make a small change the smb.conf file.
Added:
[global]
vfs objects = acl_xattr
[fax]
valid users = @"
[email protected]"
I am not familiar with SElinux so I don't know if that contributes to my situation.
P.S. I don't know if I should have used the code box or not as I was just trying to single out specific items. I will take the beating if necessary
I found it easier to not use xattr on the Linux file system, and control access via the smb.conf file. I commented out the vfs objects = acl_attr line, and removed the ACLs from the Linux permissions on the directories.
I noticed that. Couldn't figure out why but I am beginning to understand much better based on comments here and more reading last night and this morning.
Here's how to get rid of the ACLs on the directories and files:
setfacl -Rbn /path/to/directory
https://mangolassi.it/topic/17242/easy-way-to-remove-extended-security-info-acls-from-multiple-folders-on-linux/4
Then you'll need to fix the Linux permissions:
chmod -R 0770 /path/to/directory
chown -R root:root /path/to/directory
or whatever permissions you need, above just examples.
Don't forget to configure SELinux, Step#3 here: https://www.timothygruber.com/linux/samba-file-server-with-microsoft-ad/#Configure_Services_and_Firewall
