[Samba] Can't get permission on a share to work problem with groups

Horace mailinglist at lhplan.tk
Sun Feb 9 09:29:13 MST 2014 

On 2014-02-09 11:09, Rowland Penny wrote:
> On 09/02/14 15:38, Horace wrote:
>> On 2014-02-09 09:29, Rowland Penny wrote:
>>> On 09/02/14 10:48, Horace wrote:
>>>> On 2014-02-09 05:19, Rowland Penny wrote:
>>>>> On 24/01/14 21:05, Horace wrote:
>>>>>> Hello,
>>>>>> 
>>>>>> 1. I have created a directory /srv/samba4/Public Applications.
>>>>>> 2. I created a group 'Domain Admins' with gid 1003
>>>>> When you say that you created a group called 'Domain Admins', just 
>>>>> how
>>>>> did you create it? or do you mean that you added the gidNumber 
>>>>> '1003'
>>>>> to the already existing group in AD?
>>>>> 
>>>>> Rowland
>>>>> 
>>>> I am referring to the UNIX group I created with 'groupadd' command 
>>>> and modified the Builtin AD group 'ACCOUNTSAD\Domain Admins' and 
>>>> changed the existing gidNumber to 1003. So AD Users that members of 
>>>> 'ACCOUNTSAD\Domain Admins' can write to the directory.
>>>>>> 3. I setfacl -m group:1003:rwx on Public Applications
>>>>>> 4. I created a share
>>>>>> [Public Applications]
>>>>>>     read list = @ACCOUNTSAD\"Domain Users"
>>>>>>     write list = @"Domain Admins"
>>>>>>     comment = Public Applications
>>>>>>     path = /srv/samba4/Public Applications
>>>>>>     #admin users = @"Domain Admins"
>>>>>> 5. wbinfo --group-info 'Domain Admins'
>>>>>> ACCOUNTSAD\Domain Admins:*:1003:
>>>>>> 
>>>>>> Debug level
>>>>>> # Debug logging information
>>>>>> #log level = 10
>>>>>> log level = 3
>>>>>> #log file = /var/log/samba.log.%m
>>>>>> #max log size = 50
>>>>>> debug timestamp = yes
>>>>>> syslog only = yes
>>>>>> 
>>>>>> 
>>>>>> As anyone can see, I like Domain Admins read write access and 
>>>>>> Domain Users read access only. For whatever reason, when I access 
>>>>>> the share \\PDC-S2\Public Applications and try to create a folder, 
>>>>>> I get Permission denied.
>>>>>> 
>>>>>> I have tailed both syslog's and log.smbd and there is NO relevant 
>>>>>> information regarding why this is failing.
>>>>>> 
>>>>>> Am I doing something wrong here ?
>>> OK, The problem here is that you are dealing with an Active Directory
>>> server, it would be better if you just used ACL's.
>>> 
>>> I personally wouldn't have mapped 'Domain Admins' to 'Domain Admins',
>>> in fact I am surprised that you could create a unix Group with the
>>> same name as a domain group, or did you create it before the join?
>>> 
>>> I would remove the local group 'Domain Admins' and create a new one,
>>> perhaps 'dom_admins', I would not use one with a space in the name,
>>> unix doesn't like spaces ;-)
>>> 
>>> Also if you are using the standard mappings, 'Domain Users' is mapped
>>> to the local group 'users' or gid '100'
>>> 
>>> What I would here is, alter smb.conf to this:
>>> 
>>> [Public_Applications]
>>>     comment = Public Applications
>>>     path = /path/to/Public_Applications
>>>     read only = no
>>> 
>>> Then:
>>> 
>>> setfacl -dm group:<gid of dom_admins>:rwx 
>>> /path/to/Public_Applications
>>> 
>>> setfacl -dm group:100:r-x /path/to/Public_Applications
>>> 
>>> This should get you the results that you require, only members of
>>> 'Domain Admins' can create files & folders, but members of 'Domain
>>> Users' can read them.
>>> 
>>> Rowland
>> 
>> This is a much simpler way of doing this. Anyhow, I ran into a slight 
>> problem, although I can write into Public_Applications but unfortunate 
>> the smbd process writes creates files/folders with uid 300000 and gid 
>> 100 ? 300000 is mapped to Administrators which is awkward ? Why isn't 
>> it using the login name? Is this default behavior when you don't 
>> specific 'valid users'?
> 
> You wanted anybody in the 'Domain Admins' group to be able to write to
> a dir, but members of 'Domain Users' only to be able to read anything
> in the dir, there was no mention of individual users.
> 
> Having said that, you are mixing up unix permissions and ACL's, they
> are very different. With unix you have user:group:others i.e. one
> user, one group and then everybody/group else whereas with ACL's you
> can have multiple users, multiple groups and of course others.
> 
> The way that I suggested gave you ownership by 'Domain Admins' and the
> ability to read by 'Domain Users', you could also give a user that
> isn't a member of either group access with:
> 
> setfacl -m user:testuser:rwx /path/to/Public_Applications/afile
> 
> It will still show as being owned by  3000000:users on linux, but does
> this matter if only the people/groups shown in the ACL have access?
> Try looking at a files permissions from windows.
> 
> Rowland

Oh, let me clear up some confusion, the idea is not preventing an 
individual access to the Share... All 'Domain Admins' should have write 
access to that Share, however without smbd using the login name for the 
owner on Linux side, I won't know who upload what. On the Windows side 
(which is Windows 8.1 Enterprise) the permissions that are listed after 
I uploaded a test folder:

CREATOR OWNER
CREATOR GROUP
Domain Users Read and Execute
Administrators Full Control

So I am assuming that this is indeed default behavior then and I would 
have to use 'force user = %u'? Further more, I am not to sure if I am 
happy with users having complete access 'rwx'. I would have to think 
that part through regarding the 'users' issue.

Regards

More information about the samba mailing list