Difference between revisions of "Setting up a Share Using Windows ACLs"

(Added categories)
(/* added note)
(15 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
* NT4 backup domain controllers (BDC)
 
* NT4 backup domain controllers (BDC)
 
* Standalone hosts
 
* Standalone hosts
 
As an alternative to extended ACLs, you can set up shares using POSIX ACLs. For details, see [[Setting_up_a_Share_Using_POSIX_ACLs|Setting up a Share Using POSIX ACLs]].
 
  
  
Line 46: Line 44:
 
If no output is displayed:
 
If no output is displayed:
 
* Samba was built using the <code>--with-acl-support=no</code> parameter.
 
* Samba was built using the <code>--with-acl-support=no</code> parameter.
* The Samba <code>configure</code> script was unable to locate the required libraries for ACL support. For details, see [[Samba_Dependencies_Required_to_Build_Samba|Samba Dependencies Required to Build Samba]].
+
* The Samba <code>configure</code> script was unable to locate the required libraries for ACL support. For details, see [[Package Dependencies Required to Build Samba]].
  
  
Line 58: Line 56:
 
  vfs objects = acl_xattr
 
  vfs objects = acl_xattr
 
  map acl inherit = yes
 
  map acl inherit = yes
 +
# the next line is only required on Samba versions less than 4.9.0
 
  store dos attributes = yes
 
  store dos attributes = yes
  
Line 74: Line 73:
  
 
Only users and groups having the <code>SeDiskOperatorPrivilege</code> privilege granted can configure share permissions.
 
Only users and groups having the <code>SeDiskOperatorPrivilege</code> privilege granted can configure share permissions.
 +
 +
{{Imbox
 +
| type = note
 +
| text = Only users or groups that are known to Unix can be used. This means that if you use the winbind 'ad' backend on Unix domain members, you must add a uidNumber attribute to users, or a gidNumber to groups in AD. 
 +
}}
 +
 +
{{Imbox
 +
| type = note
 +
| text = If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the <code>Domain Admins</code> group in AD, you will break the mapping in <code>idmap.ldb</code>. <code>Domain Admins</code> is mapped as <code>ID_TYPE_BOTH</code> in  <code>idmap.ldb</code>, this is to allow the group to own files in <code>Sysvol</code> on a Samba AD DC. It is suggested you create a new group (<code>Unix Admins</code> for instance), give this group a <code>gidNumber</code> attribute and add it to the <code>Administrators</code> group and then use the group wherever you see <code>Domain Admins</code>.
 +
}}
 +
  
 
To grant the privilege to the <code>Domain Admins</code> group, enter:
 
To grant the privilege to the <code>Domain Admins</code> group, enter:
Line 93: Line 103:
 
   BUILTIN\Administrators
 
   BUILTIN\Administrators
 
   SAMDOM\Domain Admins
 
   SAMDOM\Domain Admins
 +
 +
{{Imbox
 +
| type = important
 +
| text = You need to grant the <code>SeDiskOperatorPrivilege</code> privilege on the Samba server that holds the share.
 +
}}
  
  
Line 105: Line 120:
  
 
  # mkdir -p /srv/samba/Demo/
 
  # mkdir -p /srv/samba/Demo/
 +
 +
* To enable accounts other than the domain user <code>Administrator</code> to set permissions on Windows, grant <code>Full control</code> (<code>rwx</code>) to the user or group you granted the <code>SeDiskOperatorPrivilege</code> privilege. For example:
 +
 +
# chown root:"Domain Admins" /srv/samba/Demo/
 +
# chmod 0770 /srv/samba/Demo/
  
 
* Add the <code>[Demo]</code> share definition to your <code>smb.conf</code> file:
 
* Add the <code>[Demo]</code> share definition to your <code>smb.conf</code> file:
Line 133: Line 153:
 
To set permissions and ACLs on the <code>Demo</code> share:
 
To set permissions and ACLs on the <code>Demo</code> share:
  
* Log on to a Windows host using an account that has the <code>SeDiskOperatorPrivilege</code> privilege granted.
+
* Log on to a Windows host using an account that has the <code>SeDiskOperatorPrivilege</code> privilege granted. e.g. <code>SAMDOM\Administrator</code> or <code>SAMDOM\john</code> where <code>john</code> is a member of <code>Domain Admins</code>.
  
 
* Click <code>Start</code>, enter <code>Computer Management</code>, and start the application.
 
* Click <code>Start</code>, enter <code>Computer Management</code>, and start the application.
Line 144: Line 164:
  
 
:[[Image:Computer_Management_Shares.png]]
 
:[[Image:Computer_Management_Shares.png]]
 +
 +
 +
  
 
* Right-click to the share and select <code>Properties</code>.
 
* Right-click to the share and select <code>Properties</code>.
  
* Select the <code>Share Permissions</code> tab and set the share permissions. For example:
+
* Select the <code>Share Permissions</code> tab and check the share permissions, you need to see <code>Everyone</code>. For example:
:[[Image:Demo_Share_Permissions.png]]
+
:[[Image:share.png]]
 +
 
 +
{{Imbox
 +
| type = note
 +
| text = You should not need to change anything here.
 +
}}
  
: On a Samba share, you can omit the <code>SYSTEM</code> account in the file system ACLs. For details, see [[The SYSTEM Account]].
 
 
: Samba stores share permissions in the <code>/usr/local/samba/var/locks/share_info.tdb</code> database.
 
: Samba stores share permissions in the <code>/usr/local/samba/var/locks/share_info.tdb</code> database.
 +
 +
 +
  
 
* Select the <code>Security</code> tab.
 
* Select the <code>Security</code> tab.
Line 158: Line 188:
  
 
:[[Image:Demo_Share_Security.png]]
 
:[[Image:Demo_Share_Security.png]]
 +
 +
: For details about using the <code>SYSTEM</code> account on a Samba share see [[The SYSTEM Account]].
  
 
: For details where the ACLs are stored, see [[#File_System_ACLs_in_the_Back_End|File System ACLs in the Back End]].
 
: For details where the ACLs are stored, see [[#File_System_ACLs_in_the_Back_End|File System ACLs in the Back End]].
 +
 +
* Click the <code>Add</code> button.
 +
 +
* Click <code>Advanced</code> button
 +
 +
* Click <code>Find Now</code>
 +
 +
* Select a user or group from the list, <code>Domain Users</code> for instance.
 +
 +
* Click <code>OK</code>
 +
 +
* Click <code>OK</code>
 +
 +
* Select permissions to grant, <code>Full control</code> for instance.
 +
 +
* A windows security box should open, asking if you want to continue, Click <code>Yes</code>
 +
 +
* If you check the list of <code>Group or user names</code>, you should find <code>Domain Users</code> listed
  
 
* Click <code>OK</code> to close the <code>Permissions for Demo</code> window.
 
* Click <code>OK</code> to close the <code>Permissions for Demo</code> window.
Line 187: Line 237:
 
:[[Image:Folder_Permissions.png]]
 
:[[Image:Folder_Permissions.png]]
  
: On a Samba share, you can omit the <code>SYSTEM</code> account in the file system ACLs. For details, see [[The SYSTEM Account]].
+
: For details about using the <code>SYSTEM</code> account on a Samba share see [[The SYSTEM Account]].
  
 
: For details where the ACLs are stored, see [[#File_System_ACLs_in_the_Back_End|File System ACLs in the Back End]].
 
: For details where the ACLs are stored, see [[#File_System_ACLs_in_the_Back_End|File System ACLs in the Back End]].
Line 228: Line 278:
 
  default:other::---
 
  default:other::---
  
* To list the <code>user.SAMBA_PAI</code> extended attribute of the <code>/srv/samba/Demo/</code> directory, enter:
+
* To list the <code>security.NTACL</code> extended attribute of the <code>/srv/samba/Demo/</code> directory, enter:
  
  # getfattr -d /srv/samba/Demo/
+
  # getfattr -n security.NTACL -d /srv/samba/Demo/
 
  # file: srv/samba/Demo/
 
  # file: srv/samba/Demo/
  user.SAMBA_PAI=0sAgScBwAHAAABAAAAAAAAAAAAAAAC/////wABAAAAAAAAAAAAAAABEScAAAABECcAAAABAAAAAAAAAAAAAAAC/////wABAAAAAAAAAAAAAAMBEScAAAMBECcAAA==
+
  security.NTACL=0sBAAEAAAAAgAEAAIAAQC4zK0lHchKFvwXwbPR/h8P8sXMj5dNIT5QQuWsYwO3RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEbGxuGu39MBuiZRk2pYxeL5ZWc4au0ikqRAk53MkjVd2b4quyk2WwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAASSVmaZneO8cxOHk/9AEAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAACAMQABwAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAAAAEAABAQAAAAAAAQAAAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT/0AQAAAAMkAL8BEwABBQAAAAAABRUAAABJJWZpmd47xzE4eT8BAgAA
  
 
The previous example of file system ACLs and the extended attribute is mapped to the following Windows ACLs:
 
The previous example of file system ACLs and the extended attribute is mapped to the following Windows ACLs:
Line 250: Line 300:
 
|}
 
|}
  
 +
* To get the ACL in a more readable form, enter:
 +
 +
# samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
 +
# O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f01ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)
  
  
Line 266: Line 320:
 
----
 
----
 
[[Category:Active Directory]]
 
[[Category:Active Directory]]
 +
[[Category:Domain Members]]
 +
[[Category:File Serving]]
 
[[Category:NT4 Domains]]
 
[[Category:NT4 Domains]]
[[Category:File Serving]]
 

Revision as of 14:35, 14 October 2019

Introduction

Extended access control lists (ACL) enable you to set permissions on shares, files, and directories using Windows ACLs and applications. Samba supports shares using extended ACLs on:

  • Domain members
  • Active Directory (AD) domain controllers (DC)
  • NT4 primary domain controller (PDC)
  • NT4 backup domain controllers (BDC)
  • Standalone hosts



Preparing the Host

You need to set up Samba before you are able to create a share. Depending on what type of Samba server you require, see:


File System Support

The file system, the share will be created on, must support:

  • user and system xattr name spaces.
  • extended access control lists (ACL).

For further details, see File system support.


Samba Extended ACL Support

To create a share with extended access control list (ACL) support, the smbd service must have been built with ACL support enabled. A Samba host working as an Active Directory (AD) domain controller (DC), is always enabled with extended ACL support.

To verify if Samba has been built with ACL support, enter:

# smbd -b | grep HAVE_LIBACL
   HAVE_LIBACL

If no output is displayed:



Enable Extended ACL Support in the smb.conf File

To configure shares using extended access control lists (ACL), you must enable the support in the smb.conf file. To enable extended ACL support globally, add the following settings to the [global] section of your smb.conf file:

vfs objects = acl_xattr
map acl inherit = yes
# the next line is only required on Samba versions less than 4.9.0
store dos attributes = yes

Alternatively, to enable extended ACL support only for a specific share, add the parameters to the share's section.

For further details about the parameters, see the smb.conf(5) man page.


Granting the SeDiskOperatorPrivilege Privilege

Only users and groups having the SeDiskOperatorPrivilege privilege granted can configure share permissions.


To grant the privilege to the Domain Admins group, enter:

# net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.

To list all users and groups having the SeDiskOperatorPrivilege privilege granted, enter:

# net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter administrator's password:
SeDiskOperatorPrivilege:
  BUILTIN\Administrators
  SAMDOM\Domain Admins



Adding a Share

To share the /srv/samba/Demo/ directory using the Demo share name:

  • As the root user, create the directory:
# mkdir -p /srv/samba/Demo/
  • To enable accounts other than the domain user Administrator to set permissions on Windows, grant Full control (rwx) to the user or group you granted the SeDiskOperatorPrivilege privilege. For example:
# chown root:"Domain Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/
  • Add the [Demo] share definition to your smb.conf file:
[Demo]
       path = /srv/samba/Demo/
       read only = no
Further share-specific settings and file system permissions are set using the Windows utilities.
  • Reload the Samba configuration:
# smbcontrol all reload-config



Setting Share Permissions and ACLs

When you configure a share with extended access control lists (ACL) support, you set the share permissions using Windows utilities instead of adding parameters to the share section in the smb.conf file.

To set permissions and ACLs on the Demo share:

  • Log on to a Windows host using an account that has the SeDiskOperatorPrivilege privilege granted. e.g. SAMDOM\Administrator or SAMDOM\john where john is a member of Domain Admins.
  • Click Start, enter Computer Management, and start the application.
  • Select Action / Connect to another computer.
  • Enter the name of the Samba host and click OK to connect the console to the host.
  • Open the System Tools / Shared Folders / Shares menu entry.
Computer Management Shares.png



  • Right-click to the share and select Properties.
  • Select the Share Permissions tab and check the share permissions, you need to see Everyone. For example:
Share.png
Samba stores share permissions in the /usr/local/samba/var/locks/share_info.tdb database.



  • Select the Security tab.
  • Click the Edit button and set the file system ACLs on the share's root directory. For example:
Demo Share Security.png
For details about using the SYSTEM account on a Samba share see The SYSTEM Account.
For details where the ACLs are stored, see File System ACLs in the Back End.
  • Click the Add button.
  • Click Advanced button
  • Click Find Now
  • Select a user or group from the list, Domain Users for instance.
  • Click OK
  • Click OK
  • Select permissions to grant, Full control for instance.
  • A windows security box should open, asking if you want to continue, Click Yes
  • If you check the list of Group or user names, you should find Domain Users listed
  • Click OK to close the Permissions for Demo window.
  • Click OK to store the updated settings.

For further details about configuring share permissions and ACLs, see the Windows documentation.



Setting ACLs on a Folder

To set file system permissions on a folder located on a share that uses extended access control lists (ACL):

  • Log on to a Windows host using an account that has Full control on the folder you want to modify the file system ACLs.
  • Navigate to the folder.
  • Right-click to the folder and select Properties.
  • Select the Security tab and click the Edit button.
  • Set the permission. For example:
Folder Permissions.png
For details about using the SYSTEM account on a Samba share see The SYSTEM Account.
For details where the ACLs are stored, see File System ACLs in the Back End.
  • Click OK to close the Permissions for Folder window.
  • Click OK to store the updated settings.

For further details about setting ACLs, see the Windows documentation.



File System ACLs in the Back End

Samba stores the file system permissions in extended file system access control lists (ACL) and in an extended attribute. For example:

  • To list the extended ACLs of the /srv/samba/Demo/ directory, enter:
# getfacl /srv/samba/Demo/
# file: srv/samba/Demo/
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040users:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---
  • To list the security.NTACL extended attribute of the /srv/samba/Demo/ directory, enter:
# getfattr -n security.NTACL -d /srv/samba/Demo/
# file: srv/samba/Demo/
security.NTACL=0sBAAEAAAAAgAEAAIAAQC4zK0lHchKFvwXwbPR/h8P8sXMj5dNIT5QQuWsYwO3RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEbGxuGu39MBuiZRk2pYxeL5ZWc4au0ikqRAk53MkjVd2b4quyk2WwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAASSVmaZneO8cxOHk/9AEAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAACAMQABwAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAAAAEAABAQAAAAAAAQAAAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT/0AQAAAAMkAL8BEwABBQAAAAAABRUAAABJJWZpmd47xzE4eT8BAgAA

The previous example of file system ACLs and the extended attribute is mapped to the following Windows ACLs:

Principal Permissions Applies to
Domain Users (SAMDOM\Domain Users) Modify, Read & execute, List folder contents, Read, Write (This folder, subfolders and files)
Domain Admins (SAMDOM\Domain Admins) Full control (This folder, subfolders and files)
  • To get the ACL in a more readable form, enter:
# samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
# O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f01ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)



Troubleshooting

For troubleshooting, see: