Seeking clarification

John H Terpstra - Samba Team jht at
Fri May 22 15:29:27 GMT 2009

simo wrote:
> On Thu, 2009-05-21 at 23:51 -0500, John H Terpstra - Samba Team wrote:
>> Can someone please clarify if the following behavior is a bug or an
>> expected feature.
>> Samba-3.3.4 - ADS Domain Member server.  Obviously, running winbind.
>> The following describes the problem as reported by the Samba admin."
>> There are several domain users that are members of the Domain Admins group.
>> Execution on the Linux (RHEL5.3) system of the following command shows
>> that two users have the Domain Admins group as their primary group, the
>> other users' primary group is Domain Users, with secondary membership in
>> Domain Admins.
>> The problem the site is complaining about is the regardless, any user
>> who is a member of the Domain Admins group creates files and folders on
>> the RHEL5.3 Linux system - but the owner and group are set to UID is
>> root, GID is "Domain Admins".  The problem then is that users who are
>> not members of the Domain Admins group can not manage permissions on the
>>  root owned and "Domain Admins" group owned files, nor can they write to
>> folders so owned.  I know this can be changed by opening up the UGO
>> permissions or by setting POSIX ACLs - but that is undesirable for other
>> reasons.
>> When the same users who are Domain Admins members create files and
>> folders on a Windows Server 2003 system, they end up being owned by the
>> correct user, and that users' primary group.  The same happens with
>> Samba 3.2.7.
>> It seems that Samba-3.3.4 behaves differently from 3.2.7 and differently
>> from Windows Server 2003.
>> Is this a bug? If so, should I file a bug report?
>> Thanks for tuning in, and thanks for any responses provided.
> Can't say w/o seeing smb.conf, are you sure they have not put these
> users in the 'admin users' list ?
> That would make them be root on the machine, and would explain why files
> are created as root.
> Simo.


Here is the smb.conf file. As you can see, no "admin users" have been

John T.

        workgroup = HOSTREL
        realm = HOSTREL.LCL
        netbios name = RES-CIFS-00
        server string = RES CIFS
        security = ADS
        restrict anonymous = 2
        client NTLMv2 auth = Yes
        log level = 1
        log file = /var/log/samba/log.%L.%m
        max log size = 0
        load printers = No
        disable spoolss = Yes
	kernel oplocks = No
        os level = 0
        wins server =
        ldap ssl = no
        idmap backend = tdb
        idmap uid = 2000000-2999999
        idmap gid = 2000000-2999999
        winbind separator = +
        winbind cache time = 3000
        winbind enum users = Yes
        winbind enum groups = Yes
        idmap config HOSTREL:backend = tdb
        winbind:ignore domains = HOSTREACT.LOCAL
        fileid:mapping = fsname
        force unknown acl user = Yes
        include = /etc/samba/.conf
        vfs objects = fileid

        comment = Relativity Share1
        path = /mnt/cifs1/toplevel
        valid users = "@HOSTREL+Domain Users"
        read only = No
        fileid:mapping = fsname

        comment = Relativity Share2
        path = /mnt/cifs2/toplevel
        valid users = "@HOSTREL+Domain Users"
        read only = No
        fileid:mapping = fsname

More information about the samba-technical mailing list