[Samba] Samba 4.2.0: Group write permission not honored

Thomas Schulz schulz at adi.com
Tue Apr 21 12:34:59 MDT 2015 

>>>> Hello Thomas
>>>>
>>>> Am 06.04.2015 um 17:22 schrieb Thomas Schulz:
>>>>> For anyone considering using Samba 4.2.0, be aware that there is a
>>>>> problem with group write permission not being honored.
>>>>>
>>>>> This is seen on both Linux and Solaris. We have a setup where we have
>>>>> project directory trees where the files are owned by various users but
>>>>> also by a group that the various users are a member of. The group
>>>>> permissions are set to allow group write access. With Samba 4.1.* and
>>>>> earlier everyone in the group can create files in these directories.
>>>>> With Samba 4.2.0, we get an 'Access is denied' error.
>>>>
>>>> Is there already a bug report about that? If not, please open one, to=20
>>>> get this fixed. Thanks.
>>>>
>>>> https://www.samba.org/~asn/reporting_samba_bugs.txt
>>>>
>>>>
>>>> Regards,
>>>> Marc
>>>
>>> I opened Bug 11192. I realized just a moment ago that I had forgotten
>>> to include that information.
>> 
>> Do you have additional information like.
>> 
>> - smb.conf
>> - where do the unix users/groups come from (ldap, AD (winbind/ssd) ,
>> local/nis Database)
>> 
>> I have a bug
>> 
>> https://bugzilla.samba.org/show_bug.cgi?id=11082
>> 
>> open and I am wondering, if it could be related
> 
> The unix users/groups come from nis. I am not running winbindd except
> occasionally as a test to see if it makes a difference. I set the group
> permissions using the unix command 'chmod g+w'. On many of the directories
> there is an acl set to force the default group permission to include
> write.
> 
> The smb.conf is as follows:
> 
> # Global parameters
> [global]
>         workgroup = ADI
>         realm = adi.com
>         security = ADS
>         client NTLMv2 auth = No
>         name resolve order = bcast host
>         client signing = if_required
>         client ldap sasl wrapping = plain
>         winbind sealed pipes = No
>         require strong key = No
>         idmap config * : backend = tdb
>         dos filemode = Yes
>         msdfs root = Yes
> 
> [zacltest2]
>         comment = Acl test
>         path = /home/users/schulz/tmp
>         read only = No
>         inherit permissions = Yes
> 
> 
> For a directory with an ACL, the ACL looks like this:
> 
> # file: acltest2
> # owner: atest
> # group: atest
> user::rwx
> group::rwx              #effective:rwx
> mask:rwx
> other:r-x
> default:user::rwx
> default:group::rwx
> default:mask:rwx
> default:other:r-x

My report is somewhat incorrect. The problem with not honoring group
write permissions only occurs if winbindd is running. I never ran
winbindd with Samba 4.1.*. I started running it because of the problems
reported in Bug 11098. As reported there, it is possible to run Samba 4.2.*
without running winbindd if I use security=ads. If I do not run winbindd
then the group write permissions are honored.

I just tried Samba 4.1.17 and it has the same problem with using group
write permissions if winbindd is running. So this is not a regression,
at least not one against 4.1.*. 

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list