[Samba] Issue with extended ACL's in 4.10.16
Odell, Jack
Jack.Odell at options-it.com
Mon Sep 11 15:14:49 UTC 2023
Hi,
I'm having an issue with extended ACL permissions while upgrading from 4.6.2 to 4.10.16.
When upgraded, the file permissions will only allow a user's primary GID to access the directory/file.
For example:
tuser is a member of secall and secoptions.
secall is tuser's primary GID.
A dir has an ACL set for secoptions:rwx
tuser is unable to access the dir from a windows host
Adding secall:rwx to the dir allows tuser to access the dir without issue.
Trawled this document for a Boolean parameter this afternoon that would sort out this problem but came up blank: smb.conf (samba.org)<https://www.samba.org/~ab/output/htmldocs/manpages-3/smb.conf.5.html>
Any help to shed some light on this is greatly appreciated.
Current smb.conf file below:
<config>
[global]
realm = OPTIONS-IT.COM
workgroup = OPTIONS-IT
security = ads
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab /etc/krb5.keytab.stc.local
template homedir = /home/%U
idmap config * : backend = sss
idmap config * : range = 57000-59000
# idmap config OPTIONS-IT : backend = sss
# idmap config OPTIONS-IT : range = 57000-59000
# idmap config STC.LOCAL : backend = sss
# idmap config STC.LOCAL : range = 57000-59000
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
machine password timeout = 0
log level = 3
allow trusted domains = yes
# winbind scan trusted domains = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[log]
comment = var log test
path = /var/log
browseable = yes
writeable = yes
create mask = 7650
directory mask = 7770
guest ok = yes
posix locking = no
<config>
System info:
Red Hat Enterprise Linux Server release 7.9 (Maipo)
3.10.0-1160.88.1.el7.x86_64 #1 SMP Sat Feb 18 13:27:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ smbd -V
Version 4.10.16
All the best,
Jack
CONFIDENTIAL:
The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Whilst we take reasonable precautions to minimise risk, you must carry out your own virus checks before opening attachments or reading e-mails and we do not accept liability for any damage or loss in this respect. This e-mail and its attachments may be subject to copyright protection and you should not retransmit or reproduce these without the consent of the author. Non-business related content is not authorised by us and we shall not be liable for it. We are also not responsible for changes made or occurring after this message was sent.
Options Technology Ltd.
50 Pall Mall,
St James,
London,
SW1Y 5JH
Tel: +44 20 7070 5000 Fax: +44 20 7070 5001
Options Information Technology LLC
28 Liberty St, 9th Floor,
New York, NY 10005.
Tel: 646 205 2500 Fax: 646 205 2501
Options Technology (Asia) Ltd.
503C The Golden Center,
188 Des Voeux Road, Central, Hong Kong
Tel: +852 3166 5000 Fax: +852 3166 5001
http://www.options-it.com
More information about the samba
mailing list