[Samba] Group permissions not working on 3.0.8

Rodrigo Severo rodrigo at fabricadeideias.com
Fri Dec 10 14:59:57 GMT 2004


I believe group permissions are not working well on Samba 3.0.8.

I have two different problems that seems to be group permission related:

1. I have the following file:

-r--rw----  1 apache_user developers_group 13285 Dec  9 12:53 index.html

I am a member of developers_group (not my primary group) and I can't 
edit this file. If I give apache_user (the file's owner) the write right 
then I can edit the file. Why?

This only happens when I access the file through Samba, on the machine 
itself these rights work as I expect, i.e., no need of write right to 
the owner.

2. I have the following directory:

dr-xrws---  1 apache_user developers_group     0 Mar 18  2004 userimages/

Again I, as a member of developres_group, should be able to create a new 
file. But I can't: permission denied. Again I ask why?

I saw some messages about group permission related problems down in 
Samba 3.0.2. Could these issues be related to this same problem?

BTW I using ldap based authentication.

Please help.

I'm including my smb.conf file below for your reference.


Rodrigo Severo


   workgroup = FABRICA
   netbios name = SCOTT
   encrypt passwords = Yes
   server string = Samba %v - Scott
   security = user
   interfaces =
   load printers = no
   log file = /var/log/samba/%m
   bind interfaces only = Yes
   local master = no
   domain master = no
   domain logons = Yes
     wins server =
   dns proxy = no
   create mask = 0764
   force create mode = 0660

   map archive = no

   unix extensions = yes
     wide links = no
     dos charset = CP850
     unix charset = ISO8859-1
   username map = /etc/samba/smbusuarios
     name resolve order = wins bcast hosts
     unix password sync = Yes
     passwd program = /usr/share/samba/scripts/smbldap-passwd -u %u
     passwd chat = "Changing password for*\nNew password*" %n\n "*Retype 
new password*" %n\n"
   ldap passwd sync = yes
     passdb backend = ldapsam:ldaps://auth.fabricadeideias.com:636
     ldap admin dn = cn=samba,ou=DSA,dc=fabricadeideias,dc=com
     ldap suffix = dc=fabricadeideias,dc=com
     ldap group suffix = ou=Group
     ldap user suffix = ou=People
     ldap machine suffix = ou=People
     ldap ssl = on
   add machine script = /usr/share/samba/scripts/smbldap-useradd -w "%u"
     add user script = /usr/share/samba/scripts/smbldap-useradd -a -m "%u"
     ldap delete dn = Yes
     delete user script = /usr/share/samba/scripts/smbldap-userdel "%u"
     add group script = /usr/share/samba/scripts/smbldap-groupadd -p "%g"
     delete group script = /usr/share/samba/scripts/smbldap-groupdel "%g"
     add user to group script = 
/usr/share/samba/scripts/smbldap-groupmod -m "%u" "%g"
   delete user from group script = 
/usr/share/samba/scripts/smbldap-groupmod -x "%u" "%g"
   set primary group script = /usr/share/samba/scripts/smbldap-usermod 
-g "%g" "%u"
   ldap idmap suffix = ou=Idmap
   idmap backend = ldap:ldaps://auth.fabricadeideias.com:636
   idmap uid = 10000-20000
   idmap gid = 10000-20000

#============================ Share Definitions 

path = /dados01
force user = apache_user
force group = +developers_group
writeable = Yes
force directory mode = 070
write list = @developers_group


Rodrigo Severo
Fábrica de Idéias
SBS -Ed. Empire Center Sala 1301 - Cobertura
Fone: (61) 321 1357
Fax: (61) 223 1712


For Sys Admins paranoia isn't a mental health problem,
its a marketable job skill.


More information about the samba mailing list