[Samba] Permission issue with home directory and groups with deny access

Sat Dec 12 16:51:52 UTC 2020

Hello,

I have a somewaht strange permission issue on my samba fileserver(4.9.5) joined to a samba ad server(4.12.7).

I normally create shares and add for every share follwing basic groups. Later I asign the user/roles to this groups as needed.
 - share_sharename_d: This is the deny group, and denyes access to everything on this shares
 - share_sharename_r: The read group
 - share_sharename_rw: The read write group
 - share_sharename_rwx: The full access group

Today I created a new share(\\srv-vir-009\schueler) for some user home directories. I created it as it is described on the samba wiki(https://wiki.samba.org/index.php/Windows_User_Home_Folders#In_an_Active_Directory[https://deref-gmx.net/mail/client/3JMcm6wD8FU/dereferrer/?redirectUrl=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FWindows_User_Home_Folders%23In_an_Active_Directory]) using Windows ACL. The only diffrence is that I additionaly added my usual groups(share_schueler_d, share_schueler_r, share_schuler_rw, share_schueler_rwx). Then I used "Active Directory Users and Computers" to create the home directories.

The home directories where created and showed up on the share. But the user(on Windows 10) could not access the share an got a Permission denied message.

After experimenting a bit I found that the problem seems to be the "share_schueler_d"(Deny everything on the share) group. The group is empty an has no members/mebership assigned.

- When this group(share_schueler_d) is present on the share and I create the user home directory trough "Active Directory Users and Computers". Users will not be able to access their home directory.

- If I remove the group(share_schueler_d) and use "Active Directory Users and Computers" to create the home share, everything works fine.

This ist the output of geffacl. The first directory(t.galliker7) was created without the deny group(share_schueler_d) added on the share and the second(t.galliker8) with the deny group. There seems to be missing the access rights for t.galliker

root at srv-vir-009:/srv/files/user/schueler# getfacl t.galliker7
# file: t.galliker7
# owner: administrator
# group: domain\040users
user::rwx
user:10512:rwx
user:t.galliker:rwx
user:11223:r-x
user:11224:rwx
user:11225:rwx
group::---
group:BUILTIN\\administrators:rwx
group:administrator:rwx
group:domain\040admins:rwx
group:domain\040users:---
group:t.galliker:rwx
group:share_schueler_r:r-x
group:share_schueler_rw:rwx
group:share_schueler_rwx:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:user:10512:rwx
default:user:t.galliker:rwx
default:user:11223:r-x
default:user:11224:rwx
default:user:11225:rwx
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:group:t.galliker:rwx
default:group:share_schueler_r:r-x
default:group:share_schueler_rw:rwx
default:group:share_schueler_rwx:rwx
default:mask::rwx
default:other::---

root at srv-vir-009:/srv/files/user/schueler# getfacl t.galliker8
# file: t.galliker8
# owner: administrator
# group: domain\040users
user::rwx
user:10512:rwx
user:11222:---
user:11223:r-x
user:11224:rwx
user:11225:rwx
group::---
group:administrator:rwx
group:domain\040admins:rwx
group:domain\040users:---
group:share_schueler_d:---
group:share_schueler_r:r-x
group:share_schueler_rw:rwx
group:share_schueler_rwx:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:user:10512:rwx
default:user:11222:---
default:user:11223:r-x
default:user:11224:rwx
default:user:11225:rwx
default:group::---
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:group:share_schueler_d:---
default:group:share_schueler_r:r-x
default:group:share_schueler_rw:rwx
default:group:share_schueler_rwx:rwx
default:mask::rwx
default:other::---

It's not really a big issue. But it seems to me like a bug.

Regards and thanks for your greate work,
Thomas