[Samba] Users cannot rename, delete files on AD-member Samba
rayklassen at gmail.com
Fri Apr 10 20:39:09 GMT 2009
What about unix extensions? enabled or disabled? Unix extensions seem
to bypass force group statements...
On Fri, Apr 10, 2009 at 10:26 AM, Jeremy Allison <jra at samba.org> wrote:
> On Fri, Apr 10, 2009 at 11:46:53AM -0400, Goldschrafe, Jeffrey wrote:
>> Hi there!
>> I'm having some strange permissions issues with one of my systems that's
>> on an Active Directory domain.
>> Here's the basic background:
>> - System is joined to AD domain. Users authenticate fine via Kerberos,
>> and are authorized via an AD user group. They can browse the share,
>> create files, etc. without incident. "valid users" lets them in.
>> - User information for the system (nsswitch) comes out of LDAP. The
>> LDAP is non-AD (a legacy OpenLDAP setup), but the usernames all line up
>> and Samba can resolve each user's UID/GID and secondary groups without a
>> - The share is semantically owned by a single Unix group.
>> - That security group is mapped in "net groupmap" to a Unix group. I'm
>> not entirely sure if this is actually necessary.
>> - Share has "force create mode = 0664" and "force directory mode =
>> 0775" to ensure that files are writable by the group by default.
>> When a user connects to the share using a Windows client (XP or Vista),
>> they are unable to rename folders, and unable to rename or delete files.
>> They are able to delete folders, as long as the folders do not contain
>> any files. This means that when using Explorer to create a file or
>> folder, it can be created with the default name (e.g. "New Folder" or
>> "New Text Document.txt") but any attempt to assign a
>> semantically-meaningful name will fail with an "access denied" error.
>> This applies to renaming existing files as well, of course.
>> When the same user connects from a Mac or Linux client, through Finder,
>> Dolphin or smbclient, the same exact operations work. The user can
>> rename and delete just fine as long as it isn't from Windows.
> We need to see level 10 logs of what is going on here before we
> can determine the problem. What version of Samba are you using ?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba