[Samba] Samba 4.6.2 does not inherit setgid bit (anymore)
Vincent
maillist at iveze.nl
Mon Feb 5 16:47:10 UTC 2018
Hi Lorenzo and Dale,
My setup is like Lorenzo's completely based on setgid being propagated.
The filesystem should determine the group used starting at a certain
directory. Different "root" directories have different groups, and
security is based on groups, not users.
I tried all sorts of settings combinations, alseo "force directory mode
= 2770", but none propagates setgid.
The odd thing is that it has worked fine for years on versions below
4.2.10. Only after udating to 4.6.2 it completely stopped working. I
wonder if it is a new feature to neglect setgid completely, or that it
is a bug and that i may expect it working again in future versions.
Kind regards, Vincent
On 02/02/2018 18:04, Lorenzo Delana via samba wrote:
> thanks for suggestion, in other words you use only ACLs for users
> denying all for groups, unfortunately we had many group such as domain
> users, secretary, finance, etc belonging to users for which we need to
> apply at least 770 in order to gain a simplified permission management
> using groups
>
> the actual dirty workaround I applied was to track new files/dir by
> tailing with follow ( tail -f ) a smbd_audit.log filtered through
> rsyslog for messages generated by samba full_audit configured to
> listen "create_file" event; the problem here is that sometime samba
> full_audit report the event of a file or folder created by the element
> isn't on the disk yet so as security checkpoint I ended to apply a
> chgrp -R root nightly on a daily basis.
>
> all of these problems could easily resolved if there was existed an
> option such as an hypothetical "force item group" that allow me to
> force the group for created item ( note that the current one "force
> group" option not work for me because it apply as an impersonation of
> a group for the authenticated user generating more security problems ).
>
>
> Lorenzo Delana |
> |
> On 02/02/2018 17:15, Dale Renton wrote:
>>
>> have you found a solution that makes "force directory mode = 2770"
>> able to apply to new created folders ?
>>
>>
>> We have noticed the same thing in CentOS 7. The setgid no longer
>> works like it did before, so now we create our shares like this
>> following the instructions from the wiki.
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>>
>>
>> # chmod 700 /u01/test
>> # chown root:root /u01/test
>> # setfacl -m group::--- /u01/test
>> # setfacl -m default:group::--- /u01/test
>> # setfacl -m other::--- /u01/test
>> # setfacl -m default:other::--- /u01/test
>> # setfacl -m group:unixadmins:rwx /u01/test
>> # setfacl -m default:group:unixadmins:rwx /u01/test
>>
>>
>> smb.conf
>>
>> [test]
>> comment = test
>> path = /u01/test
>> read only = No
>> inherit acls = yes
>>
>>
>> Dale
>
More information about the samba
mailing list