Samba file share and MS A/D NTFS permissions
-
In my quest to move to a Linux Samba share based on groups, I used Obsolece's Samba with MS A/D instructions to create my test server, but am still having issues with using nested A/D groups.
I stuck to the instructions in the link except for entering in my own Domain info and shared folder information.
Over the last few days, I have done a bunch of reading and google searches plus help from https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, I am still SOL.
I am trying to configure a share called /data/fax with the following permission:
NTFS Permissions on linuxfax\FAX share: Share Permissions = Everyone FULL ACL_FAX_Create - ONLY Create Folders / append data, Applies to: This folder only. ACL_FAX_List - Traverse folder, List folder, Read Applies to: This folder only. ACL_FAX_Full - Full Control Applies to: "This folder, subfolders and files." CREATOR OWNER: Full Control Applies to: "Subfolders and files only."Users in ACL_FAX_Full group are fine but can get in all folders (bad)
User in just FaxUser Group (Contains ACL_FAX_Create and ..List groups) cannot add a folder in /data/fax/ for themselves.id [email protected] - shows all groups/nested groups
I had to make a small change the smb.conf file.
Added:
[global] vfs objects = acl_xattr [fax] valid users = @"[email protected]"I am not familiar with SElinux so I don't know if that contributes to my situation.
P.S. I don't know if I should have used the code box or not as I was just trying to single out specific items. I will take the beating if necessary
-
@pmoncho For testing purpose, you can temporary set SELinux to permissive by using this command:
sudo setenforce 0 -
@black3dynamite said in Samba file share and MS A/D NTFS permissions:
@pmoncho For testing purpose, you can temporary set SELinux to permissive by using this command:
sudo setenforce 0Thank but there was no change. It potentially rules out SELinux.
Maybe I am stretching what Samba can do.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
In my quest to move to a Linux Samba share based on groups, I used Obsolece's Samba with MS A/D instructions to create my test server, but am still having issues with using nested A/D groups.
I stuck to the instructions in the link except for entering in my own Domain info and shared folder information.
Over the last few days, I have done a bunch of reading and google searches plus help from https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, I am still SOL.
I am trying to configure a share called /data/fax with the following permission:
NTFS Permissions on linuxfax\FAX share: Share Permissions = Everyone FULL ACL_FAX_Create - ONLY Create Folders / append data, Applies to: This folder only. ACL_FAX_List - Traverse folder, List folder, Read Applies to: This folder only. ACL_FAX_Full - Full Control Applies to: "This folder, subfolders and files." CREATOR OWNER: Full Control Applies to: "Subfolders and files only."Users in ACL_FAX_Full group are fine but can get in all folders (bad)
User in just FaxUser Group (Contains ACL_FAX_Create and ..List groups) cannot add a folder in /data/fax/ for themselves.id [email protected] - shows all groups/nested groups
I had to make a small change the smb.conf file.
Added:
[global] vfs objects = acl_xattr [fax] valid users = @"[email protected]"I am not familiar with SElinux so I don't know if that contributes to my situation.
P.S. I don't know if I should have used the code box or not as I was just trying to single out specific items. I will take the beating if necessary
I found it easier to not use xattr on the Linux file system, and control access via the smb.conf file. I commented out the
vfs objects = acl_attrline, and removed the ACLs from the Linux permissions on the directories. -
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@black3dynamite said in Samba file share and MS A/D NTFS permissions:
@pmoncho For testing purpose, you can temporary set SELinux to permissive by using this command:
sudo setenforce 0Thank but there was no change. It potentially rules out SELinux.
Maybe I am stretching what Samba can do.
Samba is an SMB file server. This isn't related to NTFS ACLs which are a filesystem thing. Same as on Windows.
-
@scottalanmiller said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@black3dynamite said in Samba file share and MS A/D NTFS permissions:
@pmoncho For testing purpose, you can temporary set SELinux to permissive by using this command:
sudo setenforce 0Thank but there was no change. It potentially rules out SELinux.
Maybe I am stretching what Samba can do.
Samba is an SMB file server. This isn't related to NTFS ACLs which are a filesystem thing. Same as on Windows.
Good point. Have to work on keeping them separated.
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
In my quest to move to a Linux Samba share based on groups, I used Obsolece's Samba with MS A/D instructions to create my test server, but am still having issues with using nested A/D groups.
I stuck to the instructions in the link except for entering in my own Domain info and shared folder information.
Over the last few days, I have done a bunch of reading and google searches plus help from https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, I am still SOL.
I am trying to configure a share called /data/fax with the following permission:
NTFS Permissions on linuxfax\FAX share: Share Permissions = Everyone FULL ACL_FAX_Create - ONLY Create Folders / append data, Applies to: This folder only. ACL_FAX_List - Traverse folder, List folder, Read Applies to: This folder only. ACL_FAX_Full - Full Control Applies to: "This folder, subfolders and files." CREATOR OWNER: Full Control Applies to: "Subfolders and files only."Users in ACL_FAX_Full group are fine but can get in all folders (bad)
User in just FaxUser Group (Contains ACL_FAX_Create and ..List groups) cannot add a folder in /data/fax/ for themselves.id [email protected] - shows all groups/nested groups
I had to make a small change the smb.conf file.
Added:
[global] vfs objects = acl_xattr [fax] valid users = @"[email protected]"I am not familiar with SElinux so I don't know if that contributes to my situation.
P.S. I don't know if I should have used the code box or not as I was just trying to single out specific items. I will take the beating if necessary
I found it easier to not use xattr on the Linux file system, and control access via the smb.conf file. I commented out the
vfs objects = acl_attrline, and removed the ACLs from the Linux permissions on the directories.I noticed that. Couldn't figure out why but I am beginning to understand much better based on comments here and more reading last night and this morning.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
In my quest to move to a Linux Samba share based on groups, I used Obsolece's Samba with MS A/D instructions to create my test server, but am still having issues with using nested A/D groups.
I stuck to the instructions in the link except for entering in my own Domain info and shared folder information.
Over the last few days, I have done a bunch of reading and google searches plus help from https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, I am still SOL.
I am trying to configure a share called /data/fax with the following permission:
NTFS Permissions on linuxfax\FAX share: Share Permissions = Everyone FULL ACL_FAX_Create - ONLY Create Folders / append data, Applies to: This folder only. ACL_FAX_List - Traverse folder, List folder, Read Applies to: This folder only. ACL_FAX_Full - Full Control Applies to: "This folder, subfolders and files." CREATOR OWNER: Full Control Applies to: "Subfolders and files only."Users in ACL_FAX_Full group are fine but can get in all folders (bad)
User in just FaxUser Group (Contains ACL_FAX_Create and ..List groups) cannot add a folder in /data/fax/ for themselves.id [email protected] - shows all groups/nested groups
I had to make a small change the smb.conf file.
Added:
[global] vfs objects = acl_xattr [fax] valid users = @"[email protected]"I am not familiar with SElinux so I don't know if that contributes to my situation.
P.S. I don't know if I should have used the code box or not as I was just trying to single out specific items. I will take the beating if necessary
I found it easier to not use xattr on the Linux file system, and control access via the smb.conf file. I commented out the
vfs objects = acl_attrline, and removed the ACLs from the Linux permissions on the directories.I noticed that. Couldn't figure out why but I am beginning to understand much better based on comments here and more reading last night and this morning.
Here's how to get rid of the ACLs on the directories and files:
setfacl -Rbn /path/to/directoryThen you'll need to fix the Linux permissions:
chmod -R 0770 /path/to/directory
chown -R root:root /path/to/directoryor whatever permissions you need, above just examples.
Don't forget to configure SELinux, Step#3 here: https://www.timothygruber.com/linux/samba-file-server-with-microsoft-ad/#Configure_Services_and_Firewall
-
Small update:
I was able to get the NTFS perms to work as I wanted.
I kept the vfs objects line in global but add the nt acl support line[global] vfs objects = acl_xattr [fax] nt acl support = yes valid users = @"[email protected]"After setting up Samba, need to add rpc rights to allow Windows Admin to change NTFS perms on share.
net rpc rights list privileges SeDiskOperatorPrivilege -U "Domain\Admin Account"I was then able to change group permissions and all worked out well.
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Small update:
I was able to get the NTFS perms to work as I wanted.
I kept the vfs objects line in global but add the nt acl support line[global] vfs objects = acl_xattr [fax] nt acl support = yes valid users = @"[email protected]"After setting up Samba, need to add rpc rights to allow Windows Admin to change NTFS perms on share.
net rpc rights list privileges SeDiskOperatorPrivilege -U "Domain\Admin Account"I was then able to change group permissions and all worked out well.
That may have been why I had issues with NTFS ACLs. I didn't know about the
nt acl supportline. That may have made it work.Maybe I'll try it on a test share.
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work? -
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Small update:
I was able to get the NTFS perms to work as I wanted.
I kept the vfs objects line in global but add the nt acl support line[global] vfs objects = acl_xattr [fax] nt acl support = yes valid users = @"[email protected]"After setting up Samba, need to add rpc rights to allow Windows Admin to change NTFS perms on share.
net rpc rights list privileges SeDiskOperatorPrivilege -U "Domain\Admin Account"I was then able to change group permissions and all worked out well.
That may have been why I had issues with NTFS ACLs. I didn't know about the
nt acl supportline. That may have made it work.Maybe I'll try it on a test share.
Give it a shot. It works really nice. Don't for get the "net rpc" line. That is what allows you to actually change the perms in windows.
My GPO works out nice also for automatic user folder creation.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Side Note - how do you highlight your lines red with red box?
You use the key next to your #1 key, a ` at each end when using it in a sentence.
Or use three in a row a line before and after for a chunk of code.
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work?I could not get
@"Domain Users"to work (original smb.conf file) so I stuck to@"Domain [email protected]".The issue as of the 7/6/18 Fedora/Samba/Winbind update is
@"Domain [email protected]"no longer works and I now usevalid users = @"Domain.com\Domain Users" -
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
Side Note - how do you highlight your lines red with red box?
You use the key next to your #1 key, a ` at each end when using it in a sentence.
Or use three in a row a line before and after for a chunk of code.
I figured it out when quoting your last reply. On all my other replies I did not notice the ` in there. Thanks.
-
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work?I could not get
@"Domain Users"to work (original smb.conf file) so I stuck to@"Domain [email protected]".The issue as of the 7/6/18 Fedora/Samba/Winbind update is
@"Domain [email protected]"no longer works and I now usevalid users = @"Domain.com\Domain Users"Hmm, not sure what the problem is because I have one running
4.16.9-300.fc28.x86_64(Fedora 28) that's fully up to date, and it's smb.conf is using the format:valid users = @"domain [email protected]" admin users = @"domain [email protected]"Where "domain admins" is a user or group.
Though, it hasn't been rebooted lately.
-
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
@pmoncho said in Samba file share and MS A/D NTFS permissions:
@obsolesce said in Samba file share and MS A/D NTFS permissions:
A few things have changed recently upon doing a new install as of Friday 7/6.
On 7/6 I started to install Fedora 28 in our production environment only to hit a snag. I could not access the Samba share via name on any machine. Under normal user, \linuxfax\fax would not resolve but \IP Address showed the Fax folder. No access to share. Admin account was the same with the exception of getting "No RPC server found"
Following items no longer worked for me;
chown [email protected]:"domain [email protected]" /share/fax
In smb.conf file - valid users = @"[email protected]"
I had to now use:
chown [email protected]:"Domain.com\domain admins" /share/fax
In smb.conf file - valid users = @"Domain.com\faxuser"
Sounds like something is off because you would use that format for trusted domains, not your domain. For example:
valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"Where the first one is your domain, and the second is a different but trusted domain.
That was the weird part when I kept messing with the "valid users" section.
"valid users = @"Domain Users"" - wouldn't work so I kept to your documentation.
I will change it back and see what happens.
Side Note - how do you highlight your lines red with red box?
I actually misread what you wrote.
So
@"Domain Users"works, but@"Domain [email protected]"does not work?I could not get
@"Domain Users"to work (original smb.conf file) so I stuck to@"Domain [email protected]".The issue as of the 7/6/18 Fedora/Samba/Winbind update is
@"Domain [email protected]"no longer works and I now usevalid users = @"Domain.com\Domain Users"Hmm, not sure what the problem is because I have one running
4.16.9-300.fc28.x86_64(Fedora 28) that's fully up to date, and it's smb.conf is using the format:valid users = @"domain [email protected]" admin users = @"domain [email protected]"Where "domain admins" is a user or group.
Though, it hasn't been rebooted lately.
Hmmm... I'm on
4.17.3-200.fc28.X86_64Would that be a kernel issue or possible Samba or Winbind? That is the part I cannot figure out. Where the change was the issue.
I am about to update my old Fedora 4.16 to newest and see if all still works.
