Question regarding FQDN & SeDiskOperatorPrivilege

planet_jeroen · November 29, 2017, 12:44am

Sooooooo close. But too tired to continue.

Taken from:

https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

Create a username map as decribed there, and then enter:

net rpc rights grant "MYDOMAIN\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege -Uadministrator

[root@fileserver ~]# net rpc rights grant "Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege  -Uadministrator
Enter administrator's password:
Successfully granted rights.
[root@fileserver ~]# getent group "Domain Admins"
domain admins@mydomain.com:*:1262600512:administrator@mydomain.com,lms048@mydomain.com,admin@mydomain.com
[root@fileserver ~]# net rpc rights list accounts -Uadministrator
Enter administrator's password:
Unix Group\domain admins@mydomain.com
SeMachineAccountPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

I can now actually SEE the security settings using Shared Folders and Files on a Windows machine, and actualy click checkboxes on the security tab, whereas they where greyed out, but as soon as I click apply, I get access denied.

This is using my own account which is member from domain admins.

Next I tried MYDOMAIN\administrator as Windows login, and after removing some stuff from my profile share definition, I can now set rights. Still not entirely working, as the owner is root, and that needs to be the local administrators group. Getting close tho.

I’m not that awake anymore tho … to be continued.

TL;DR: username map is your friend.

planet_jeroen · November 29, 2017, 1:21am

Thanks @des, @mrmarkuz, @m.traeumner, @flatspin and earlier @stephdl for thinking along during this adventure. And special thanks to @alefattorini for getting their attention in another topic regarding this issue a while ago. You all rock!

I do think this needs to be added to Nethserver once this is figured out … I grew a couple of extra grey hairs during this.

It is not at all obvious to the casual linux admin how this works, and while we are replacing microsoft, being able to set rights as we where used to, really will help adopt this. Linux rights, to windows admins, are alien.

It would be greatly appreciated to have a checkbox while creating a share, turn on advanced sharing, and be able to create an ibay with the following content in smb.conf:

[windows acls enabled share]
comment = Profiles directory
browsable = yes
path = /var/lib/nethserver/profiles
read only = no
store dos attributes = Yes
csc policy = disable

This, and SeDiskOperatorPrivilege (and possibly some more privileges) are needed to be able to set security settings from within windows, as if it is windows. I need to test if there are limits, and what they are, but for now I really really call it quits.

P.S.

Content of /etc/samba/user.map
[root@fileserver ~]# cat /etc/samba/user.map
!root = MYDOMAIN\Administrator MYDOMAIN\administrator

And you need to add username map = /etc/samba/user.map to the [global] section of smb.conf

mrmarkuz · December 15, 2017, 9:21am

I decided to use this thread, as it is the technical one.
First I’d like to thank you for your incredible work and it would be great to be able to set network share rights via Windows.
I tried to set it up with custom templates and NethServer shared folder profile to have specific shares as windows acled ones and leave other shares as they are:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-samba.html#shared-folder-profile

Created /etc/samba/user.map as it is no template

!root = CMB\Administrator CMB\administrator

Created custom template /etc/e-smith/templates-custom/etc/samba/smb.conf/11usermap:

#
# 11usermap - username map
#
username map = /etc/samba/user.map

Set the new profile for the specific shared folder:

db accounts setprop SHAREDFOLDER SmbProfileType winacls

Created shared folder profile named winacls (ibay-winacls). This shared folder profile dir has to be in templates dir, it doesn’t work in templates-custom.

mkdir -p /etc/e-smith/templates/etc/samba/smb.conf/ibay-winacls
cp /etc/e-smith/templates/etc/samba/smb.conf/ibay-default/* /etc/e-smith/templates/etc/samba/smb.conf/ibay-winacls

Browseable setting for specific folder may be changed via web UI or with

db accounts setprop SHAREDFOLDER SmbShareBrowseable enabled

but it seems to be enabled by default as not shown by samba testparm.

Then I changed /etc/e-smith/templates/etc/samba/smb.conf/ibay-winacls/20profile_default and uncommented the lines like you described and added csc policy setting at the end.

# 20profile_default:
read only            = no
#inherit permissions  = yes
; Add group write bit to default create mask, remove DOS archive bit (see below$
#create mask          = 0664
#inherit owner        = yes
; Use extended attribute to store DOS attributes (see man page)
store dos attributes = yes
#map archive          = no
#map readonly         = no
#inherit acls         = yes
#map acl inherit      = yes
#guest ok             = { ($ibay{SmbGuestAccessType} || 'none') =~ /^rw?$/ ? 'y$
browseable           = { ($ibay{SmbShareBrowseable} || 'enabled') eq 'enabled' $
# IMPORTANT! only value to add:
csc policy = disable

Apply changes:

signal-event nethserver-samba-update

Check if it worked and smb.conf has the new entries:

[root@server ~]# testparm -s
...
username map = /etc/samba/user.map
...
[SHAREDFOLDER]
        comment = Samba share
        path = /var/lib/nethserver/ibay/test
        store dos attributes = Yes
        csc policy = disable
        read only = No
        vfs objects = full_audit

Check shared folder settings:

Set rights as you described:

net rpc rights grant "Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege -Uadministrator

I am able to change shared folder network rights via computer management - this seems to work .
I noticed that after these changes the root folder appears when browsing \\myserver.
Maybe you have some different smb.conf global settings I am missing?

planet_jeroen · December 15, 2017, 10:45am

You could set browseable to disabled … the regular $ after the share name doesnt impress Samba

davidep · December 19, 2017, 2:02pm

Yes @planet_jeroen did a great contribution here!

Please continue this discussion under the Feature category thread