Setting up a Share Using Windows ACLs: Difference between revisions

From SambaWiki
(Major rewrite and restructuring.)
Line 1: Line 1:
= Introduction =
= Introduction =


On every Samba host you can, like on any MS Windows OS, share a folder to make it accessible for other users. There's no difference if this host is an Samba [[Active_Directory_Domain_Controller|Active Directory Domain Controller]], a [[Setup_Samba_as_an_AD_Domain_Member|Domain Member]] or a [[Standalone_server|standalone server]]. File shares can be setup in two ways: Set [[Shares_with_POSIX_ACLs|completely via smb.conf parameters and POSIX ACLs]] or to be managed using Windows tools and ACLs. The latter is described in this documentation.
Samba allows you, since version 4, to do most share configuration via windows, which is also the recommended way. In particular, the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The following documentation will give you an overview of how to manage shares.


'''Important note:''' Samba Active Directory Domain Controllers have extended ACL support enabled globally, what requires always to manage share permissions and ACLs via Windows!
Please note, that it's also possible to [[Shares_with_POSIX_ACLs|configure shares and ACLs, using the classic way with POSIX ACLs and smb.conf parameters]].




Line 11: Line 11:
= Preparatory work =
= Preparatory work =


== Filesystem support ==
== File system support ==


To use the advanced features of Samba, it has to be compiled with ACL support (e. g. RHEL requires the libacl-devel to be installed, when compiling). Also you need a filesystem that supports the "user" and "system" xattr namespaces. It also needs to have ACL and XATTR support.
Check that the filesystem, the share will reside on, supports the "user" and "system" xattr name spaces. It also requires ACL and XATTR support. See [[Operating_system_requirements/File_system_support|File system support]] for further details.


XFS and ext4 automatically support ACLs. If you are using ext3 for your file system, you may need to include the options "user_xattr" and "acl" in your /etc/fstab entries. Example:


/dev/sda3 /srv/samba/Demo ext3 user_xattr,acl,barrier=1 1 1


== Samba ACL support ==
Note: The "barrier=1" option ensures that tdb transactions are safe against unexpected power loss. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/writebarrieronoff.html More information on barriers from RedHat]


Make sure, Samba was compiled with ACL support. Check with the following command:
Please be careful modifying your fstab. It can lead to an unbootable system!


# smbd -b | grep HAVE_LIBACL
You could test as follows:
HAVE_LIBACL


If "HAVE_LIBACL" is not found, then Samba was compiled without extended ACL support. See [[Operating_system_requirements/Dependencies_-_Libraries_and_programs|Dependencies - Libraries and programs]] if you compiled Samba yourself.
# lsof | grep srv/samba/Demo


If there is output, stop the corresponding services cleanly. If there is no output, it is safe to unmount the partition, assuming it is mounted:


# umount /srv/samba/Demo


== Enable extended ACL support in smb.conf ==
After making changes to fstab, try remounting the drive:


''The following is only required on Domain Members and not on Domain Controllers, where this setting is hard coded enabled.''
# mount -a


Add the following to your [global] section of your smb.conf:
== ACL support on domain members ==


vfs objects = acl_xattr
The following is only <u>required on Domain Members and not on Domain Controllers</u>!
map acl inherit = yes
store dos attributes = yes


See the smb.conf man page for further details on the parameters.
* Add the following to your [global] section of your smb.conf:


vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes


:These options are required on Domain Members, to enable the possibility for real windows ACL's. Domain Controllers have ACL support enabled globally by default!


== SeDiskOperatorPrivilege ==
== SeDiskOperatorPrivilege ==


* To configure share permissions, you need an account with „SeDiskOperatorPrivilege“. To grant this privilege, e. g. to the „Domain Admin“ group, run the following command on your AD member server(s):
Accounts that should be able to configure share permissions, require the privilege "SeDiskOperatorPrivilege". To view the current privilege list on a host, run

# net rpc rights list accounts -U'SAMDOM\administrator'

To grant SeDiskOperatorPrivilege to the "Domain Admins" group, run

# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -U'SAMDOM\administrator'
Enter SAMDOM\administrator's password:
Successfully granted rights.



# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -U'SAMDOM\administrator' -I dc1.samdom.example.com


:Existing privileges can be reviewed by


# net rpc rights list accounts -U'SAMDOM\administrator' -I dc1.samdom.example.com


= Adding a new share =
= Adding a new share =


* Create a folder that you want to share:
* Create a new folder, that should be shared, if it doesn't already exist

# mkdir -p /srv/samba/Demo/
# mkdir -p /srv/samba/Demo/


* In order to allow a user or group to modify permissions, "Full control" is required. If you haven't modified, the default value of "acl map full control" is "yes", what defines, that "rwx" (read-write-execute) is mapped to "Full control". Accordingly to allow members of the "Domain Admins" group to edit permissions via Windows, we need to to set the following:
You now need to allow access to the directory (or you will not be able to change the ACLs from windows).

For this example we will use 'Domain Admins' , you can use another group or user.
# setfacl -m g:"domain admins":rwx /srv/samba/Demo/
# chmod g=rwx /srv/samba/Demo/
# chgrp "Domain Admins" /srv/samba/Demo/

* Add the new share to your smb.conf. No further parameters than the following are required nor suggested (e. g. "force user/group" is not compatible with the vfs objects "acl_xattr" and can cause "Access denied" errors)!


* Add a new share to your smb.conf (using no other configuration parameters when first setting up a share is highly recommended!):
[Demo]
[Demo]
path = /srv/samba/Demo/
path = /srv/samba/Demo/
read only = no
read only = no

* Reload Samba


* Reload Samba:
# smbcontrol all reload-config
# smbcontrol all reload-config


= Setup share permissions =


* Log on to a Windows machine, using an account to which the „SeDiskOperatorPrivilege“ was granted, or an account in a group with the granted privilege.


* Open the Start Menu and search for „Computer Management“.


* In the menu bar go to „Action“ / „Connect to another computer“.


= Setup share permissions (optional) =
* Enter the name of the Samba server you have create the new share on.


* Log on to a Windows machine, using an account that is member of the "Domain Admins" group
* Navigate to „System Tools“ / „Shared Folders“ / „Shares“ and select the newly added share.

* Open the Start Menu, search for "Computer Management" and open the program

* In the menu bar go to "Action" / "Connect to another computer"

* Enter the name of the Samba host on which you want to edit the share permissions

* Navigate to "System Tools" / "Shared Folders" / "Shares" and select the desired share


:[[Image:Computer_Management_Shares.png]]
:[[Image:Computer_Management_Shares.png]]


* Right-click to the share name, choose „Properties“ .
* Right-click to the share name and choose "Properties"


* Go to the „Share Permissions“ tab. Here you can configure who can access the share and the appropriate permissions.
* Go to the "Share Permissions" tab and define who is allowed to connect to the share


:[[Image:Demo_Share_Permissions.png]]
:[[Image:Demo_Share_Permissions.png]]


* Save the changes by closing the windows with "OK"
* Go to the „Security“ tab, click the „Edit“ button and configure the filesystem permissions.





= Set ACLs on the root of a share =

* Log on to a Windows machine, using an account that is member of the "Domain Admins" group

* Open the Start Menu, search for "Computer Management" and open the program

* In the menu bar go to "Action" / "Connect to another computer"

* Enter the name of the Samba host on which you want to edit the share permissions

* Navigate to "System Tools" / "Shared Folders" / "Shares" and select the desired share

:[[Image:Computer_Management_Shares.png]]

* Right-click to the share name and choose "Properties"

* Go to the "Security" tab, click the "Edit" button and configure the desired Windows ACLs


:[[Image:Demo_Share_Security.png]]
:[[Image:Demo_Share_Security.png]]


* Save the changes by closing the windows with „OK“.
* Save the changes by closing the windows with "OK"




Line 104: Line 135:




= Change permissions on folders of a share =
= Set ACLs on subfolders of a share =


* Log on to a Windows machine as Domain Administrator.
* Log on to a Windows machine, using an account that is member of the "Domain Admins" group


* Navigate to the folder of which you want to change the permissions.
* Navigate to the folder of which you want to change the permissions


* Right-click to the folder and choose „Properties“.
* Right-click to the folder and choose "Properties"


* Go to the „Security“ tab and click the „Edit“ button.
* Go to the "Security" tab and click the "Edit" button.


* Change the permissions to your needs.
* Change the permissions to your needs


:[[Image:Folder_Permissions.png]]
:[[Image:Folder_Permissions.png]]


* Save the changes by closing the windows with „OK“.
* Save the changes by closing the windows with "OK"




Line 126: Line 157:
= Troubleshooting =
= Troubleshooting =


In certain situations, share configuration parameters which were commonly used with NT-style domains such as "force group" or "force user" may lead to "Access Denied" errors when trying to set permissions on a new share, or other complications, such as losing the ability to even see the Security tab. You may find even after correcting the issues that the problems may persist even after removing and re-adding the share properly. In such cases, it may be helpful to manually wipe out all ACLs on the share and recursively re-grant full control to the Domain Admins group with the setfacl command as follows (may need to run as root):
In certain situations, configuration parameters which were commonly used on [[Shares_with_POSIX_ACLs|shares with POSIX ACLs]], such as "force group" or "force user", may lead to "Access denied" errors when trying to set permissions on a new share or other complications, such as losing the ability to even see the "Security" tab. You may find even after correcting the issues that the problems may persist, even after removing and re-adding the share properly. In such cases, it may be helpful to manually wipe out all ACLs on the share and recursively re-grant full control to the Domain Admins group with the setfacl command as follows (need to run as root):

# setfacl -b /path/to/share
# setfacl -b /path/to/share/*
# setfacl -R -m default:group:domain\ admins:rwx /path/to/share


# setfacl -R -b /srv/samba/Demo/
# setfacl -R -b /srv/samba/Demo/*
# setfacl -R -m default:group:"Domain Admins":rwx /srv/samba/Demo/




Line 139: Line 169:
= Related documentation =
= Related documentation =


The following documentation explains how to set up file shares with special permissions or purpose:
The following documentation discusses related topics:


* [[User_home_drives|Setting up a home share]]
* [[User_home_drives|Setting up home drives]]


* [[Implementing_roaming_profiles|Samba and Windows Profiles]]
* [[Implementing_roaming_profiles|Implementing Windows roaming profiles]]

Revision as of 17:10, 31 October 2015

Introduction

On every Samba host you can, like on any MS Windows OS, share a folder to make it accessible for other users. There's no difference if this host is an Samba Active Directory Domain Controller, a Domain Member or a standalone server. File shares can be setup in two ways: Set completely via smb.conf parameters and POSIX ACLs or to be managed using Windows tools and ACLs. The latter is described in this documentation.

Important note: Samba Active Directory Domain Controllers have extended ACL support enabled globally, what requires always to manage share permissions and ACLs via Windows!



Preparatory work

File system support

Check that the filesystem, the share will reside on, supports the "user" and "system" xattr name spaces. It also requires ACL and XATTR support. See File system support for further details.


Samba ACL support

Make sure, Samba was compiled with ACL support. Check with the following command:

# smbd -b | grep HAVE_LIBACL
   HAVE_LIBACL

If "HAVE_LIBACL" is not found, then Samba was compiled without extended ACL support. See Dependencies - Libraries and programs if you compiled Samba yourself.


Enable extended ACL support in smb.conf

The following is only required on Domain Members and not on Domain Controllers, where this setting is hard coded enabled.

Add the following to your [global] section of your smb.conf:

       vfs objects = acl_xattr
       map acl inherit = yes
       store dos attributes = yes

See the smb.conf man page for further details on the parameters.


SeDiskOperatorPrivilege

Accounts that should be able to configure share permissions, require the privilege "SeDiskOperatorPrivilege". To view the current privilege list on a host, run

# net rpc rights list accounts -U'SAMDOM\administrator'

To grant SeDiskOperatorPrivilege to the "Domain Admins" group, run

# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -U'SAMDOM\administrator'
Enter SAMDOM\administrator's password:
Successfully granted rights.



Adding a new share

  • Create a new folder, that should be shared, if it doesn't already exist
# mkdir -p /srv/samba/Demo/
  • In order to allow a user or group to modify permissions, "Full control" is required. If you haven't modified, the default value of "acl map full control" is "yes", what defines, that "rwx" (read-write-execute) is mapped to "Full control". Accordingly to allow members of the "Domain Admins" group to edit permissions via Windows, we need to to set the following:
# chmod g=rwx /srv/samba/Demo/
# chgrp "Domain Admins" /srv/samba/Demo/
  • Add the new share to your smb.conf. No further parameters than the following are required nor suggested (e. g. "force user/group" is not compatible with the vfs objects "acl_xattr" and can cause "Access denied" errors)!
[Demo]
       path = /srv/samba/Demo/
       read only = no
  • Reload Samba
# smbcontrol all reload-config



Setup share permissions (optional)

  • Log on to a Windows machine, using an account that is member of the "Domain Admins" group
  • Open the Start Menu, search for "Computer Management" and open the program
  • In the menu bar go to "Action" / "Connect to another computer"
  • Enter the name of the Samba host on which you want to edit the share permissions
  • Navigate to "System Tools" / "Shared Folders" / "Shares" and select the desired share
Computer Management Shares.png
  • Right-click to the share name and choose "Properties"
  • Go to the "Share Permissions" tab and define who is allowed to connect to the share
Demo Share Permissions.png
  • Save the changes by closing the windows with "OK"



Set ACLs on the root of a share

  • Log on to a Windows machine, using an account that is member of the "Domain Admins" group
  • Open the Start Menu, search for "Computer Management" and open the program
  • In the menu bar go to "Action" / "Connect to another computer"
  • Enter the name of the Samba host on which you want to edit the share permissions
  • Navigate to "System Tools" / "Shared Folders" / "Shares" and select the desired share
Computer Management Shares.png
  • Right-click to the share name and choose "Properties"
  • Go to the "Security" tab, click the "Edit" button and configure the desired Windows ACLs
Demo Share Security.png
  • Save the changes by closing the windows with "OK"



Set ACLs on subfolders of a share

  • Log on to a Windows machine, using an account that is member of the "Domain Admins" group
  • Navigate to the folder of which you want to change the permissions
  • Right-click to the folder and choose "Properties"
  • Go to the "Security" tab and click the "Edit" button.
  • Change the permissions to your needs
Folder Permissions.png
  • Save the changes by closing the windows with "OK"



Troubleshooting

In certain situations, configuration parameters which were commonly used on shares with POSIX ACLs, such as "force group" or "force user", may lead to "Access denied" errors when trying to set permissions on a new share or other complications, such as losing the ability to even see the "Security" tab. You may find even after correcting the issues that the problems may persist, even after removing and re-adding the share properly. In such cases, it may be helpful to manually wipe out all ACLs on the share and recursively re-grant full control to the Domain Admins group with the setfacl command as follows (need to run as root):

# setfacl -R -b /srv/samba/Demo/
# setfacl -R -b /srv/samba/Demo/*
# setfacl -R -m default:group:"Domain Admins":rwx /srv/samba/Demo/



Related documentation

The following documentation discusses related topics: