[Samba] urgent problem with samba 4.13 and chown/chgrp

L.P.H. van Belle belle at bazuin.nl
Thu Feb 11 10:34:47 UTC 2021 

Well, good question, i dont have that enabled in my smb.conf at all. 

maybe, nfs4-acl-tools is not installed also. 
i do notice one difference, i dont change the primary group "domain users" 
and i dont recommend others todo so, yes, 
its a switch to "not use chmod/chown/chgrp" i use setfacl getfacl.

but a quick check.. 
Logged in with a linux user, ( my linuxAdmin for the servers ) 
chgrp TestGroup somefile.test
chgrp: changing group of 'somefile.test': Operation not permitted

someuserl at dc0:~$ sudo chgrp TestGroup somefile.test
[sudo] password for someuserl:
works fine with sudo

Then logged in on other server, automounted nfs4.1 kerberos authed homedir,
using SSO from windows. 

chgrp "users" 'SomeFile.tar.gz' -v
chgrp: changing group of 'SomeFile.tar.gz': Operation not permitted
failed to change group of 'SomeFile.tar.gz' from domain users to users

sudo chgrp "users" 'SomeFile.tar.gz' -v
changed group of 'SomeFile.tar.gz' from domain users to users

chgrp "domain users" 'SomeFile.tar.gz' -v
changed group of 'SomeFile.tar.gz' from users to domain users

so, without sudo you can not change to a "linux" group. 
but you can change from a linux group to and AD-group (if it had GID) without sudo. 

i hope it helps the topic poster. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via
> samba
> Verzonden: donderdag 11 februari 2021 11:02
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] urgent problem with samba 4.13 and chown/chgrp
> 
> On 11/02/2021 09:47, L.P.H. van Belle via samba wrote:
> > Besides your problem.
> >
> >>>> idmap config EECSYORKUCA : range = 1000-999999
> > now, ONLY if you didnt create a first user on linux, your ok here.
> > normaly we do recommend to use/start higher.
> >
> > You should not use overlapping ID's.
> >
> > see also :
> > cat /etc/addusers.conf
> >
> > start there, at least verify you dont have any users in the assigned
> range for samba
> 
> 
> Hi Louis, you know more about nfs than I do (I don't use it), but
> doesn't NFSv3 use Linux acls and NFSv4 use NFSv4_ACLs and if so,
> wouldn't the OP require the vfs object nfs4acl_xattr in smb.conf ?
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list