Access denied to change share security staff

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Access denied to change share security staff

Samba - General mailing list
Hello all;
I have problem with shares in a domain member used as file server (I want to use it like that)
I check from samba wiki some test that you suggest and all have been pass well. I try to make a new share using POSIX ACL and still not access.
To make the share and apply the permissions and owners:

[root@gtmpve lib]# mkdir -p /compartido/prueba/
[root@gtmpve lib]# chmod 2770 /compartido/prueba/
[root@gtmpve lib]# chown root:"ATGTM00\domain admins" /compartido/prueba/

My smb.conf look lik that:

[root@gtmpve lib]# cat /etc/samba/smb.conf
[global]
netbios name = gtmpve
security = ADS
workgroup = ATGTM00
realm = GTM.ONAT.GOB.CU

log file = /var/log/samba/%m.log
log level = 10

idmap config *:backend = tdb
idmap config *:range = 3000-7999

idmap config ATGTM00:backend = rid
idmap config ATGTM00:range = 10000-999999

winbind nss info = template
winbind enum groups = yes
winbind enum users = yes

template shell = /bin/bash
template homedir = /home/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
create mask = 0666
directory mask = 0777
dos filemode = yes
acl allow execute always = yes

guest account = nobody
map to guest = Bad User

server string = Servidor de archivos #2
server role = member server
local master = no
domain master = no
preferred master = no

load printers = no
printcap name = /dev/null
disable spoolss = yes

[prueba]
path = /compartido/prueba/
read only = no
valid users = +ATGTM00\"Domain Users"

The /etc/krb5.conf is like this:

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = GTM.ONAT.GOB.CU

This are some of the test and results:

[root@gtmpve lib]# getent passwd 'ATGTM00\rommel'
ATGTM00\rommel:*:11144:10513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root@gtmpve lib]# wbinfo --ping-dc
checking the NETLOGON for domain[ATGTM00] dc connection to "gtmad.gtm.onat.gob.cu" succeeded

[root@gtmpve lib]# getent hosts gtmpve
192.168.41.16 gtmpve.gtm.onat.gob.cu gtmpve

Rommel Rodriguez Toirac
[hidden email]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list

 Reading the messages from the list with subject "Dir ACL through windows and chmod" I run the commands that Rowland say and this are the results:

[root@gtmpve /]# getfacl /compartido/prueba
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: compartido/prueba
# owner: root
# group: ATGTM00\134domain\040admins
# flags: -s-
user::rwx
group::rwx
other::---

[root@gtmpve /]# ls -lad /compartido/prueba
drwxrws---. 2 root ATGTM00\domain admins 6 abr 10 11:01 /compartido/prueba
 
 With getfacl the result is just this short, while in the other samba4 domain member that I use like file server (this work fine) when I run this command for a share this is the result:
 
 [root@gtmdato ~]# getfacl /mnt/samba/salva_usuarios
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: mnt/samba/salva_usuarios
# owner: root
# group: ATGTM00\134domain\040admins
user::rwx
user:root:rwx
user:ATGTM00\134domain\040admins:rwx
group::rwx
group:ATGTM00\134domain\040admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:ATGTM00\134domain\040admins:rwx
default:group::rwx
default:group:ATGTM00\134domain\040admins:rwx
default:mask::rwx
default:other::r-x

[root@gtmdato ~]# ls -lad /mnt/samba/salva_usuarios
drwxrwxr-x+ 81 root ATGTM00\domain admins 4096 mar 17 09:57 /mnt/samba/salva_usuarios

 Why this diffents? what I be missing?
Rommel Rodriguez Toirac
[hidden email]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list
On Wed, 12 Apr 2017 15:37:14 -0400
Rommel Rodriguez Toirac via samba <[hidden email]> wrote:


>  Why this diffents? what I be missing?

You are missing the fact that you shouldn't mix using Unix permissions
and ACLs, it will not work. Use one or the other, preferably the
later, in fact if you use the DC as a fileserver, you MUST use the
later.

Follow these instructions here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Do not set any Unix permissions on the share dir manually.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list
El 12 de abril de 2017 16:06:00 GMT-04:00, Rowland Penny via samba <[hidden email]> escribió:

>On Wed, 12 Apr 2017 15:37:14 -0400
>Rommel Rodriguez Toirac via samba <[hidden email]> wrote:
>
>
>>  Why this diffents? what I be missing?
>
>You are missing the fact that you shouldn't mix using Unix permissions
>and ACLs, it will not work. Use one or the other, preferably the
>later, in fact if you use the DC as a fileserver, you MUST use the
>later.
>
>Follow these instructions here:
>
>https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
>Do not set any Unix permissions on the share dir manually.
>
>Rowland

I follow step by step Setting up a Share Using Windows ACLs from wiki, but still I have an Access denied when try to change the permissions of share or when try to change Security ACL.
  As sugesst Rowland I do not change the permissions using Unix, just create the directory/subdirectory and add the entry in /etc/smb.conf as:

 [compartir]
      path = /test/compartir/
      read only = no

then from a RSAT of Windows7 loggin as Administrator in the domain I use the /Computer management/System tools/Shared folders/Shares to try to change permissions ACL and Security.

I check again if user Administrator have the SeDiskOperatorPrivilege privilege and is Ok.
 
[root@gtmpve samba]# net rpc rights list privileges -UAdministrator
Enter Administrator's password:
     SeMachineAccountPrivilege  Add machines to domain
     SeTakeOwnershipPrivilege  Take ownership of files or other objects
     SeBackupPrivilege  Back up files and directories
     SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
      SeAddUsersPrivilege  Add users and groups to the domain
      SeDiskOperatorPrivilege  Manage disk shares
      SeSecurityPrivilege  System security

 I see the shared directory fron the network, but can not access it neather.
 Is possible that the problem is related with that I have another file server (samba4 domain member) in the network?
 
 


Rommel Rodriguez Toirac
[hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list
On Thu, 13 Apr 2017 09:28:09 -0400
Rommel Rodriguez Toirac via samba <[hidden email]> wrote:

>
> I follow step by step Setting up a Share Using Windows ACLs from
> wiki, but still I have an Access denied when try to change the
> permissions of share or when try to change Security ACL. As sugesst
> Rowland I do not change the permissions using Unix, just create the
> directory/subdirectory and add the entry in /etc/smb.conf as:
>
>  [compartir]
>       path = /test/compartir/
>       read only = no
>

This sounds like a possible firewall or selinux/apparmor getting in the
way problem.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list
El 13 de abril de 2017 9:56:00 GMT-04:00, Rowland Penny via samba <[hidden email]> escribió:

>On Thu, 13 Apr 2017 09:28:09 -0400
>Rommel Rodriguez Toirac via samba <[hidden email]> wrote:
>
>>
>> I follow step by step Setting up a Share Using Windows ACLs from
>> wiki, but still I have an Access denied when try to change the
>> permissions of share or when try to change Security ACL. As sugesst
>> Rowland I do not change the permissions using Unix, just create the
>> directory/subdirectory and add the entry in /etc/smb.conf as:
>>
>>  [compartir]
>>       path = /test/compartir/
>>       read only = no
>>
>
>This sounds like a possible firewall or selinux/apparmor getting in the
>way problem.
>
>Rowland

Thank Rowland for answer me;
 
 I stop the SELinux and the firewall is not running:

[root@gtmpve selinux]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@gtmpve selinux]# setenforce 0
setenforce: SELinux is disabled

[root@gtmpve /]# systemctl --all |grep iptables
● iptables.service                                                                                                                            not-found inactive dead      iptables.service


 I can change the permissions of share and I can change and add (or remove) the owners of that share using the Share permissions tab, but when try to change something with the Security tab there is when happen the Access denied.
 I work in that tab, When I open it the user and group listed are:
 
All
root (Unix User\root)
root (Unix Group\root)
CREATOR OWNER
CREATOR GROUP

All of then just with Specials permissions set.

 When I try to add some other user or group, in the moment of Accept or Aply the system say:

 "Error trying to apply the security information to:"
 "\\GTMPVE.GTM.ONAT.GOB.CU\compartir"
 "Access denied"

And then any change happens.


Rommel Rodriguez Toirac
[hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list
On Thu, 13 Apr 2017 14:18:16 -0400
Rommel Rodriguez Toirac via samba <[hidden email]> wrote:

>
>  I can change the permissions of share and I can change and add (or
> remove) the owners of that share using the Share permissions tab, but
> when try to change something with the Security tab there is when
> happen the Access denied. I work in that tab, When I open it the user
> and group listed are: All root (Unix User\root)
> root (Unix Group\root)
> CREATOR OWNER
> CREATOR GROUP
>
> All of then just with Specials permissions set.
>
>  When I try to add some other user or group, in the moment of Accept
> or Aply the system say:
>
>  "Error trying to apply the security information to:"
>  "\\GTMPVE.GTM.ONAT.GOB.CU\compartir"
>  "Access denied"
>
> And then any change happens.
>

If the change occurs, but you get the 'error' message before, then you
can ignore the error, it is being caused by the differences between
Samba AD and windows AD.

If the changes don't work, can you try the following:

Run the 'net rpc rights list privileges' command on the Unix machine
that holds the share, this will confirm that 'Domain Admins' has the
required privilege.

Change the group ownership of the share i.e. from the wiki page:

chgrp 'Domain Admins' /srv/samba/Demo

Now try again from windows.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list
El 13 de abril de 2017 15:15:50 GMT-04:00, Rowland Penny <[hidden email]> escribió:

>On Thu, 13 Apr 2017 14:18:16 -0400
>Rommel Rodriguez Toirac via samba <[hidden email]> wrote:
>
>>
>>  I can change the permissions of share and I can change and add (or
>> remove) the owners of that share using the Share permissions tab, but
>> when try to change something with the Security tab there is when
>> happen the Access denied. I work in that tab, When I open it the user
>> and group listed are: All root (Unix User\root)
>> root (Unix Group\root)
>> CREATOR OWNER
>> CREATOR GROUP
>>
>> All of then just with Specials permissions set.
>>
>>  When I try to add some other user or group, in the moment of Accept
>> or Aply the system say:
>>
>>  "Error trying to apply the security information to:"
>>  "\\GTMPVE.GTM.ONAT.GOB.CU\compartir"
>>  "Access denied"
>>
>> And then any change happens.
>>
>
>If the change occurs, but you get the 'error' message before, then you
>can ignore the error, it is being caused by the differences between
>Samba AD and windows AD.
>
>If the changes don't work, can you try the following:
>
>Run the 'net rpc rights list privileges' command on the Unix machine
>that holds the share, this will confirm that 'Domain Admins' has the
>required privilege.
>
>Change the group ownership of the share i.e. from the wiki page:
>
>chgrp 'Domain Admins' /srv/samba/Demo
>
>Now try again from windows.
>
>Rowland
>


 Thank Rowland for write me;
I run the comands, this are the result:

[root@gtmpve nagios]# net rpc rights list privileges -Uadministrator
Enter administrator's password:
     SeMachineAccountPrivilege  Add machines to domain
     SeTakeOwnershipPrivilege  Take ownership of files or other objects
     SeBackupPrivilege  Back up files and directories
      SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
      SeAddUsersPrivilege  Add users and groups to the domain
      SeDiskOperatorPrivilege  Manage disk shares
      SeSecurityPrivilege  System security


[root@gtmpve nagios]# net rpc rights list accounts -U'ATGTM00\administrator'      
Enter ATGTM00\administrator's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

ATGTM00\Domain Admins
SeDiskOperatorPrivilege

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned


 It look like the Domain admins yes have the 'SeDiskOperatorPrivilege' privilege.
 I change the group of the share with chgrp and try from Windows RSAT. I saw the Doamin admins group with Special permissions set; but can chage anything in Secutiry tab. In Share permissions tab yes.

 Now I get this:


[root@gtmpve nagios]# getfacl /test/compartir/
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: test/compartir/
# owner: root
# group: ATGTM00\134domain\040admins
user::rwx
group::r-x
other::r-x

[root@gtmpve nagios]# ls -lda /test/compartir/
drwxr-xr-x. 2 root ATGTM00\domain admins 6 abr 13 08:29 /test/compartir/

 The group ATGTM00\134domain\040admins have not permissions to write in this directory. Is that right?

Rommel Rodriguez Toirac
[hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list
On Thu, 13 Apr 2017 17:10:16 -0400
Rommel Rodriguez Toirac via samba <[hidden email]> wrote:


>
> [root@gtmpve nagios]# net rpc rights list accounts
> ATGTM00\Domain Admins
> SeDiskOperatorPrivilege
>
>  It look like the Domain admins yes have the
> 'SeDiskOperatorPrivilege' privilege. I change the group of the share
> with chgrp and try from Windows RSAT. I saw the Doamin admins group
> with Special permissions set; but can chage anything in Secutiry tab.
> In Share permissions tab yes.
>
>  Now I get this:
>
>
> [root@gtmpve nagios]# getfacl /test/compartir/
> getfacl: Eliminando '/' inicial en nombres de ruta absolutos
> # file: test/compartir/
> # owner: root
> # group: ATGTM00\134domain\040admins
> user::rwx
> group::r-x
> other::r-x
>
> [root@gtmpve nagios]# ls -lda /test/compartir/
> drwxr-xr-x. 2 root ATGTM00\domain admins 6 abr 13
> 08:29 /test/compartir/
>
>  The group ATGTM00\134domain\040admins have not permissions to write
> in this directory. Is that right?

Yes, that is your problem now, try 'chmod 0770 /test/compartir'
This will then give 'root' and members of 'Domain Admin' full control
of the directory, but you should then be able to add other users &
groups from windows.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access denied to change share security staff

Samba - General mailing list
El 14 de abril de 2017 3:21:36 GMT-04:00, Rowland Penny <[hidden email]> escribió:

>On Thu, 13 Apr 2017 17:10:16 -0400
>Rommel Rodriguez Toirac via samba <[hidden email]> wrote:
>
>
>>
>> [root@gtmpve nagios]# net rpc rights list accounts
>> ATGTM00\Domain Admins
>> SeDiskOperatorPrivilege
>>
>>  It look like the Domain admins yes have the
>> 'SeDiskOperatorPrivilege' privilege. I change the group of the share
>> with chgrp and try from Windows RSAT. I saw the Doamin admins group
>> with Special permissions set; but can chage anything in Secutiry tab.
>> In Share permissions tab yes.
>>
>>  Now I get this:
>>
>>
>> [root@gtmpve nagios]# getfacl /test/compartir/
>> getfacl: Eliminando '/' inicial en nombres de ruta absolutos
>> # file: test/compartir/
>> # owner: root
>> # group: ATGTM00\134domain\040admins
>> user::rwx
>> group::r-x
>> other::r-x
>>
>> [root@gtmpve nagios]# ls -lda /test/compartir/
>> drwxr-xr-x. 2 root ATGTM00\domain admins 6 abr 13
>> 08:29 /test/compartir/
>>
>>  The group ATGTM00\134domain\040admins have not permissions to write
>> in this directory. Is that right?
>
>Yes, that is your problem now, try 'chmod 0770 /test/compartir'
>This will then give 'root' and members of 'Domain Admin' full control
>of the directory, but you should then be able to add other users &
>groups from windows.
>
>Rowland
>

Thank Rowland for answer;

This week in my job is free from Friday till Sunday. I write you back on Monday when get access to the server and try 'chmod 0770 /test/compartir'

 Why so short the result of command 'getfacl'; the result in the other file server is largest, for example this part is not present in the result of ther server with problems:

_____
user:ATGTM00\134domain\040admins:rwx
group::rwx
group:ATGTM00\134domain\040admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:ATGTM00\134domain\040admins:rw
default:group::rwx
default:group:ATGTM00\134domain\040admins:rwx
default:mask::rwx
default:other::r-x
---------


Rommel Rodriguez Toirac
[hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [solved] Access denied to change share security staff

Samba - General mailing list
In reply to this post by Samba - General mailing list
El 14 de abril de 2017 3:21:36 GMT-04:00, Rowland Penny <[hidden email]> escribió:

>On Thu, 13 Apr 2017 17:10:16 -0400
>Rommel Rodriguez Toirac via samba <[hidden email]> wrote:
>
>
>>
>> [root@gtmpve nagios]# net rpc rights list accounts
>> ATGTM00\Domain Admins
>> SeDiskOperatorPrivilege
>>
>>  It look like the Domain admins yes have the
>> 'SeDiskOperatorPrivilege' privilege. I change the group of the share
>> with chgrp and try from Windows RSAT. I saw the Doamin admins group
>> with Special permissions set; but can chage anything in Secutiry tab.
>> In Share permissions tab yes.
>>
>>  Now I get this:
>>
>>
>> [root@gtmpve nagios]# getfacl /test/compartir/
>> getfacl: Eliminando '/' inicial en nombres de ruta absolutos
>> # file: test/compartir/
>> # owner: root
>> # group: ATGTM00\134domain\040admins
>> user::rwx
>> group::r-x
>> other::r-x
>>
>> [root@gtmpve nagios]# ls -lda /test/compartir/
>> drwxr-xr-x. 2 root ATGTM00\domain admins 6 abr 13
>> 08:29 /test/compartir/
>>
>>  The group ATGTM00\134domain\040admins have not permissions to write
>> in this directory. Is that right?
>
>Yes, that is your problem now, try 'chmod 0770 /test/compartir'
>This will then give 'root' and members of 'Domain Admin' full control
>of the directory, but you should then be able to add other users &
>groups from windows.
>
>Rowland
>

 Hello all;
it work fine.
 I change the mod of share to '0770' and everything work fine.
 Thank you Rowland, thank you Marc for your help.

Rommel Rodriguez Toirac
[hidden email]
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...