[Samba] winbind user vs group permission deny

Paul Ryan pryan at lssdata.com
Wed Sep 29 17:23:44 GMT 2004

Samba List -

Like most people new to Samba, I'm having the most trouble setting up permissions.

First of all, let me get this straight: if you use security = domain, you do not need to set up individual users on the Linux box (in an NT domain), correct?

I want all users to be able to read the files in LSSNET, and only specific users allowed to write to it.  If the folder is 775 and the group owner is LSS_A+Domain Users everyone has read and write access.  Then to deny the write access I add read list and write list as below.  Now even though I am in all the groups and my individual user is in write list, I don't have write access.  This is because I'm also in Domain Users and the read list overrides all Samba permissions

The other options is to change the folder to 755, but then no matter what groups I add to write access, they will not override the Unix permissions.  This means I have no way to give all users read access and only some users write access without actually creating the users on the local linux box...and that defeats the purpose of the security = domain  ? ? ?

Thanks in advance for anybody who can solve this.


root# ls -lah
drwxrwxr-x 36 root  LSS_A+Domain Users 4.0K Sep 29 08:46 lssnet

   workgroup = LSS_A
   server string = Intranet Server
   log file = /var/log/samba/%m.log
   max log size = 500
   security = domain
   password server = lss_pdc bdc1 bdc2
   encrypt passwords = yes
   smb passwd file = /usr/local/samba/private/smbpasswd

# This section added by PJR 5/25/04
# Include winbind NT domain support

   winbind separator = + 
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind use default domain = no 
   winbind cache time = 20
   winbind enum users = yes
   winbind enum groups = yes 

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
   local master = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
   wins server =

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no 

   force create mode = 0775
   force directory mode = 0775
   read only = yes
   veto oplock files = /*.cgi/
   guest ok = no
   browseable = no
   writable = no

# Note: This line is added for security purposes.  The following
# users should never have access to the Samba shares

  invalid users = root,bin,daemon,adm,sync,shutdown,halt,mail,news,uucp,operator,gopher

   path = /www/lssnet
   comment = Intranet Web Files
   read list = 'LSS_A+Domain Users'
   write list = LSS_A+pryan, 'LSS_A+Corp Tech', 'LSS_A+Domain Admins'

Paul Ryan, Technology Specialist
LSS Data Systems
6423 City West Parkway, Eden Prairie, MN  55344

More information about the samba mailing list