Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: JLLEWELYN on March 28, 2019, 10:34:42 pm
-
hello, on my domain controller, create a folder for wallpapers. add security policies so that groups only reading and other groups with higher permissions can read and write.
it does not give me permission to read or write.
/etc/samba/smb.conf
administrator@servidor:~$ cat /etc/samba/smb.conf
[global]
workgroup = savidoca
realm = SAVIDOCA.COM
netbios name = servidor
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
rpc server dynamic port range = 49152-65535
interfaces = lo,eth2
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/savidoca.com/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
/etc/samba/shares.conf
administrator@servidor:~$ cat /etc/samba/shares.conf
[homes]
comment = Directorios de usuario
path = /home/%S
read only = no
browseable = no
create mask = 0611
directory mask = 0711
vfs objects = acl_xattr full_audit
full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
# Shares
[wallpapers]
comment = fondos de pantalla
path = /home/samba/shares/wallpapers
browseable = yes
force create mode = 0660
force directory mode = 0660
valid users = @"cybers", @"vendedores", @"gerentes", @"tech"
read list = @"cybers", @"vendedores"
write list = @"gerentes", @"tech"
admin users =
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
/home/samba/shares/wallpapers
administrator@servidor:~$ ls -la /home/samba/shares
total 16
drwxrwx---+ 3 root SAVIDOCA\domain users 4096 mar 25 11:15 .
drwxrwx---+ 4 root SAVIDOCA\domain users 4096 mar 2 12:51 ..
drwxrwx---+ 2 administrator adm 4096 mar 25 11:15 wallpapers
administrator@servidor:~$ ls -la /home/samba/shares/wallpapers
total 12
drwxrwx---+ 2 administrator adm 4096 mar 25 11:15 .
drwxrwx---+ 3 root SAVIDOCA\domain users 4096 mar 25 11:15 ..
administrator@servidor:~$ getfacl /home/samba/shares/wallpapers
getfacl: Removing leading '/' from absolute path names
# file: home/samba/shares/wallpapers
# owner: administrator
# group: adm
user::rwx
user:administrator:rwx
group::rwx
group:adm:rwx
group:SAVIDOCA\134domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:group::rwx
default:group:adm:rwx
default:group:SAVIDOCA\134domain\040admins:rwx
default:mask::rwx
default:other::---
will it be some permission of the folder?
-
Solve creating a custom directory on the route: /home/administrator/shares/wallpapers
su root
password:
#mkdir -p /home/administrator/shares/wallpapers
#chmod -R 775 /home/administrator/shares/wallpapers
#chown root:"Domain Admins" /home/administrator/shares/wallpapers
then in zentyal add the directory path to be shared with the permissions of the read and write groups.
It should be noted that zentyal lacks some options that are important for file sharing and security options to work correctly. What I did was copy the configuration template located at: /usr/share/zentyal/stubs/samba/smb.conf.mas and /usr/share/zentyal/stubs/samba/shares.conf.mas
sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/
sudo cp /usr/share/zentyal/stubs/samba/shares.conf.mas /etc/zentyal/stubs/samba/
modify the template in this way:
* Minimum SMB2 protocol established for protection against WannaCrypt. see article. (https://www.cyberciti.biz/faq/how-to-configure-samba-to-use-smbv2-and-disable-smbv1-on-linux-or-unix/)
* Added the missing settings to share files, vfs objects = acl_xattr, map acl inherit = yes, store dos attributes = yes, see article (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File).
* customize the network adapters that I only want to work in my active directory, excluding eth0, eth1, wlan0, vmnet8 so that it does not interfere with the operation. this may be irrelevant.
/etc/zentyal/stubs/samba/smb.conf.mas
<%args>
$workgroup
$netbiosName
$description
$mode
$realm
$domain
$roamingProfiles => 0
$profilesPath
$sysvolPath
$ifaces => undef
$shell
$radius => 0
$print => 0
$shares => 0
</%args>
<%init>
use EBox::Gettext;
</%init>
[global]
workgroup = <% $workgroup %>
realm = <% $realm %>
netbios name = <% $netbiosName %>
server string = <% $description %>
server role = <% $mode %>
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template shell = <% $shell %>
template homedir = /home/%U
min protocol = SMB2
rpc server dynamic port range = 49152-65535
% if ($ifaces) {
interfaces = lo,eth2
bind interfaces only = yes
% }
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
% if ($radius) {
lanman auth = yes
ntlm auth = yes
% }
% if ($print) {
include = /etc/samba/printers.conf
% }
% if ($shares) {
include = /etc/samba/shares.conf
% }
% if ($mode eq 'dc') {
% if ($roamingProfiles) {
[profiles]
path = <% $profilesPath %>
browseable = no
read only = no
% }
[netlogon]
path = <% $sysvolPath %>/<% $domain %>/scripts
browseable = no
read only = yes
[sysvol]
path = <% $sysvolPath %>
read only = no
% }
* Added lost line to share files setting: read only = no, see article (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share).
/etc/zentyal/stubs/samba/shares.conf.mas
<%args>
@shares => ()
$unmanagedAcls => 0
$disableFullAudit => 0
$recycle => 0
$recycle_exceptions => {}
$recycle_config => {}
$prefix => 'Zentyal'
$backup_path => '/tmp'
</%args>
<%init>
use EBox::Gettext;
</%init>
[homes]
comment = <% __('Home Directories') %>
path = /home/%S
read only = no
browseable = no
create mask = 0611
directory mask = 0711
% my $rb = ($recycle xor defined($recycle_exceptions->{'users'}));
% my $objects = 'acl_xattr';
% unless ($disableFullAudit) {
% $objects .= ' full_audit';
% }
% if ($rb) {
% $objects .= ' recycle';
% }
vfs objects = <% $objects %>
full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
% if ($rb) {
% foreach my $key (keys %{$recycle_config}) {
% next unless $key;
recycle: <% $key %> = <% $recycle_config->{$key} %>
% }
% }
# <% @shares ? "Shares\n" : "No shares configured" %>
% foreach my $share (@shares) {
[<% $share->{share} %>]
% if ($share->{comment}) {
comment = <% $share->{comment} %>
% }
path = <% $share->{path} %>
browseable = yes
read only = no
force create mode = 0660
force directory mode = 0660
% if ($share->{guest}) {
guest ok = yes
read only = no
% } elsif ($unmanagedAcls) {
read only = no
% } else {
valid users = <% $share->{validUsers} %>
read list = <% $share->{readOnly} %>
write list = <% $share->{readWrite} %>
admin users = <% $share->{administrators} %>
% }
% my $rb = ($recycle xor defined($recycle_exceptions->{'share'}->{$share->{'share'}}));
% my $objects = 'acl_xattr';
% unless ($disableFullAudit) {
% $objects .= ' full_audit';
% }
% if ($rb) {
% $objects .= ' recycle';
% }
vfs objects = <% $objects %>
% if ($unmanagedAcls) {
acl_xattr:ignore system acls = yes
% }
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
% if ($rb) {
% foreach my $key (keys %{$recycle_config}) {
% next unless $key;
recycle: <% $key %> = <% $recycle_config->{$key} %>
% }
% }
% }
the result was this:
/etc/samba/smb.conf
[global]
workgroup = savidoca
realm = SAVIDOCA.COM
netbios name = servidor
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template shell = /bin/bash
template homedir = /home/%U
min protocol = SMB2
rpc server dynamic port range = 49152-65535
interfaces = lo,eth2
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/savidoca.com/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
/etc/samba/shares.conf
[homes]
comment = Directorios de usuario
path = /home/%S
read only = no
browseable = no
create mask = 0611
directory mask = 0711
vfs objects = acl_xattr full_audit
full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
# Shares
[wallpapers]
comment = fondo de pantalla
path = /home/administrator/shares/wallpapers
browseable = yes
read only = no
force create mode = 0660
force directory mode = 0660
valid users = @"vendedores", @"cybers", @"tech", @"gerentes"
read list = @"vendedores", @"cybers"
write list = @"tech", @"gerentes"
admin users =
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename