Author Topic: [SOLVED] File Sharing does not work  (Read 1681 times)

JLLEWELYN

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +5/-0
    • View Profile
[SOLVED] File Sharing does not work
« on: March 28, 2019, 10:34:42 pm »
hello, on my domain controller, create a folder for wallpapers. add security policies so that groups only reading and other groups with higher permissions can read and write.

it does not give me permission to read or write.

/etc/samba/smb.conf
Code: [Select]
administrator@servidor:~$ cat /etc/samba/smb.conf
[global]
    workgroup = savidoca
    realm = SAVIDOCA.COM
    netbios name = servidor
    server string = Zentyal Server
    server role = dc
    server role check:inhibit = yes
    server services = -dns
    server signing = auto
    dsdb:schema update allowed = yes
    ldap server require strong auth = no
    drs:max object sync = 1200

    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes
    template shell = /bin/bash
    template homedir = /home/%U

    rpc server dynamic port range = 49152-65535

    interfaces = lo,eth2
    bind interfaces only = yes

    map to guest = Bad User

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000



    include = /etc/samba/shares.conf




[netlogon]
    path = /var/lib/samba/sysvol/savidoca.com/scripts
    browseable = no
    read only = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

/etc/samba/shares.conf
Code: [Select]
administrator@servidor:~$ cat /etc/samba/shares.conf
[homes]
    comment = Directorios de usuario
    path = /home/%S
    read only = no
    browseable = no
    create mask = 0611
    directory mask = 0711
    vfs objects = acl_xattr full_audit
    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

# Shares

[wallpapers]
    comment = fondos de pantalla
    path = /home/samba/shares/wallpapers
    browseable = yes
    force create mode = 0660
    force directory mode = 0660
    valid users = @"cybers", @"vendedores", @"gerentes", @"tech"
    read list = @"cybers", @"vendedores"
    write list = @"gerentes", @"tech"
    admin users =
    vfs objects = acl_xattr full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename


/home/samba/shares/wallpapers
Code: [Select]
administrator@servidor:~$ ls -la /home/samba/shares
total 16
drwxrwx---+ 3 root          SAVIDOCA\domain users 4096 mar 25 11:15 .
drwxrwx---+ 4 root          SAVIDOCA\domain users 4096 mar  2 12:51 ..
drwxrwx---+ 2 administrator adm                   4096 mar 25 11:15 wallpapers
administrator@servidor:~$ ls -la /home/samba/shares/wallpapers
total 12
drwxrwx---+ 2 administrator adm                   4096 mar 25 11:15 .
drwxrwx---+ 3 root          SAVIDOCA\domain users 4096 mar 25 11:15 ..

Code: [Select]
administrator@servidor:~$ getfacl /home/samba/shares/wallpapers
getfacl: Removing leading '/' from absolute path names
# file: home/samba/shares/wallpapers
# owner: administrator
# group: adm
user::rwx
user:administrator:rwx
group::rwx
group:adm:rwx
group:SAVIDOCA\134domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:group::rwx
default:group:adm:rwx
default:group:SAVIDOCA\134domain\040admins:rwx
default:mask::rwx
default:other::---

will it be some permission of the folder?
« Last Edit: March 30, 2019, 07:38:58 pm by JLLEWELYN »

JLLEWELYN

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +5/-0
    • View Profile
Re: File Sharing does not work
« Reply #1 on: March 30, 2019, 07:35:58 pm »
Solve creating a custom directory on the route: /home/administrator/shares/wallpapers

Code: [Select]
su root
password:
#mkdir -p /home/administrator/shares/wallpapers
#chmod -R 775 /home/administrator/shares/wallpapers
#chown root:"Domain Admins" /home/administrator/shares/wallpapers

then in zentyal add the directory path to be shared with the permissions of the read and write groups.

It should be noted that zentyal lacks some options that are important for file sharing and security options to work correctly. What I did was copy the configuration template located at: /usr/share/zentyal/stubs/samba/smb.conf.mas and  /usr/share/zentyal/stubs/samba/shares.conf.mas

Code: [Select]
sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/
sudo cp /usr/share/zentyal/stubs/samba/shares.conf.mas /etc/zentyal/stubs/samba/

modify the template in this way:
* Minimum SMB2 protocol established for protection against WannaCrypt. see article.
* Added the missing settings to share files, vfs objects = acl_xattr, map acl inherit = yes, store dos attributes = yes, see article.   
* customize the network adapters that I only want to work in my active directory, excluding eth0, eth1, wlan0, vmnet8 so that it does not interfere with the operation. this may be irrelevant.
/etc/zentyal/stubs/samba/smb.conf.mas
Code: [Select]
<%args>
    $workgroup
    $netbiosName
    $description
    $mode
    $realm
    $domain
    $roamingProfiles => 0
    $profilesPath
    $sysvolPath
    $ifaces => undef
    $shell

    $radius => 0
    $print => 0
    $shares => 0
</%args>
<%init>
use EBox::Gettext;
</%init>
[global]
    workgroup = <% $workgroup %>
    realm = <% $realm %>
    netbios name = <% $netbiosName %>
    server string = <% $description %>
    server role = <% $mode %>
    server role check:inhibit = yes
    server services = -dns
    server signing = auto
    dsdb:schema update allowed = yes
    ldap server require strong auth = no
    drs:max object sync = 1200

    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    template shell = <% $shell %>
    template homedir = /home/%U

    min protocol = SMB2

    rpc server dynamic port range = 49152-65535

% if ($ifaces) {
    interfaces = lo,eth2
    bind interfaces only = yes
% }

    map to guest = Bad User

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000

% if ($radius) {
    lanman auth = yes
    ntlm auth = yes
% }

% if ($print) {
    include = /etc/samba/printers.conf
% }

% if ($shares) {
    include = /etc/samba/shares.conf
% }



% if ($mode eq 'dc') {
%   if ($roamingProfiles) {
[profiles]
    path = <% $profilesPath %>
    browseable = no
    read only = no
%   }

[netlogon]
    path = <% $sysvolPath %>/<% $domain %>/scripts
    browseable = no
    read only = yes

[sysvol]
    path = <% $sysvolPath %>
    read only = no
% }


* Added lost line to share files setting: read only = no, see article.
/etc/zentyal/stubs/samba/shares.conf.mas
Code: [Select]
<%args>
    @shares => ()
    $unmanagedAcls => 0
    $disableFullAudit => 0

    $recycle => 0
    $recycle_exceptions => {}
    $recycle_config => {}

    $prefix => 'Zentyal'
    $backup_path => '/tmp'
</%args>
<%init>
use EBox::Gettext;
</%init>
[homes]
    comment = <% __('Home Directories') %>
    path = /home/%S
    read only = no
    browseable = no
    create mask = 0611
    directory mask = 0711
% my $rb = ($recycle xor defined($recycle_exceptions->{'users'}));
% my $objects = 'acl_xattr';
% unless ($disableFullAudit) {
%   $objects .= ' full_audit';
% }
% if ($rb) {
%   $objects .= ' recycle';
% }
    vfs objects = <% $objects %>
    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
% if ($rb) {
%   foreach my $key (keys %{$recycle_config}) {
%       next unless $key;
    recycle: <% $key %> = <% $recycle_config->{$key} %>
%   }
% }

# <% @shares ? "Shares\n" : "No shares configured" %>
% foreach my $share (@shares) {
[<% $share->{share} %>]
% if ($share->{comment}) {
    comment = <% $share->{comment} %>
% }
    path = <% $share->{path} %>
    browseable = yes
    read only = no
    force create mode = 0660
    force directory mode = 0660
% if ($share->{guest}) {
    guest ok = yes
    read only = no
% } elsif ($unmanagedAcls) {
    read only = no
% } else {
    valid users = <% $share->{validUsers} %>
    read list = <% $share->{readOnly} %>
    write list = <% $share->{readWrite} %>
    admin users = <% $share->{administrators} %>
% }
% my $rb = ($recycle xor defined($recycle_exceptions->{'share'}->{$share->{'share'}}));
% my $objects = 'acl_xattr';
% unless ($disableFullAudit) {
%   $objects .= ' full_audit';
% }
% if ($rb) {
%   $objects .= ' recycle';
% }
    vfs objects = <% $objects %>
% if ($unmanagedAcls) {
    acl_xattr:ignore system acls = yes
% }
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
% if ($rb) {
%   foreach my $key (keys %{$recycle_config}) {
%       next unless $key;
    recycle: <% $key %> = <% $recycle_config->{$key} %>
%   }
% }

% }

the result was this:

/etc/samba/smb.conf
Code: [Select]
[global]
    workgroup = savidoca
    realm = SAVIDOCA.COM
    netbios name = servidor
    server string = Zentyal Server
    server role = dc
    server role check:inhibit = yes
    server services = -dns
    server signing = auto
    dsdb:schema update allowed = yes
    ldap server require strong auth = no
    drs:max object sync = 1200

    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    template shell = /bin/bash
    template homedir = /home/%U

    min protocol = SMB2

    rpc server dynamic port range = 49152-65535

    interfaces = lo,eth2
    bind interfaces only = yes

    map to guest = Bad User

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000



    include = /etc/samba/shares.conf




[netlogon]
    path = /var/lib/samba/sysvol/savidoca.com/scripts
    browseable = no
    read only = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

/etc/samba/shares.conf
Code: [Select]
[homes]
    comment = Directorios de usuario
    path = /home/%S
    read only = no
    browseable = no
    create mask = 0611
    directory mask = 0711
    vfs objects = acl_xattr full_audit
    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

# Shares

[wallpapers]
    comment = fondo de pantalla
    path = /home/administrator/shares/wallpapers
    browseable = yes
    read only = no
    force create mode = 0660
    force directory mode = 0660
    valid users = @"vendedores", @"cybers", @"tech", @"gerentes"
    read list = @"vendedores", @"cybers"
    write list = @"tech", @"gerentes"
    admin users =
    vfs objects = acl_xattr full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
« Last Edit: November 29, 2020, 09:15:47 pm by JLLEWELYN »