[Samba] Samba 4.6.2 does not inherit setgid bit (anymore)
Lorenzo Delana
lorenzo.delana at gmail.com
Fri Feb 2 17:04:05 UTC 2018
thanks for suggestion, in other words you use only ACLs for users
denying all for groups, unfortunately we had many group such as domain
users, secretary, finance, etc belonging to users for which we need to
apply at least 770 in order to gain a simplified permission management
using groups
the actual dirty workaround I applied was to track new files/dir by
tailing with follow ( tail -f ) a smbd_audit.log filtered through
rsyslog for messages generated by samba full_audit configured to listen
"create_file" event; the problem here is that sometime samba full_audit
report the event of a file or folder created by the element isn't on the
disk yet so as security checkpoint I ended to apply a chgrp -R root
nightly on a daily basis.
all of these problems could easily resolved if there was existed an
option such as an hypothetical "force item group" that allow me to force
the group for created item ( note that the current one "force group"
option not work for me because it apply as an impersonation of a group
for the authenticated user generating more security problems ).
Lorenzo Delana |
|
On 02/02/2018 17:15, Dale Renton wrote:
>
> have you found a solution that makes "force directory mode = 2770"
> able to apply to new created folders ?
>
>
> We have noticed the same thing in CentOS 7. The setgid no longer works
> like it did before, so now we create our shares like this following
> the instructions from the wiki.
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>
>
> # chmod 700 /u01/test
> # chown root:root /u01/test
> # setfacl -m group::--- /u01/test
> # setfacl -m default:group::--- /u01/test
> # setfacl -m other::--- /u01/test
> # setfacl -m default:other::--- /u01/test
> # setfacl -m group:unixadmins:rwx /u01/test
> # setfacl -m default:group:unixadmins:rwx /u01/test
>
>
> smb.conf
>
> [test]
> comment = test
> path = /u01/test
> read only = No
> inherit acls = yes
>
>
> Dale
More information about the samba
mailing list