[Samba] Share Permissions on an ADS member server [NOT PROTECTIVELY MARKED]

Nigel.Pain at scotland.gsi.gov.uk Nigel.Pain at scotland.gsi.gov.uk
Wed Feb 24 09:16:04 MST 2010


Samba 3.4.5 
Solaris 9 
Windows 2000 AD domain 
Heimdal Kerberos 1.3.1 

Samba is configured and the server is joined to the domain. wbinfo works
as it should do, and so did getent when I had enumeration turned on. I
can view and change security properties from a Windows client (as a
member of the owner group).

I've created a share and set permissions to directories within it.
However, Samba does not seem to be honouring permissions for domain

For example, from Windows clients any domain user can write to the
directory /testshare/Communities/HASS which has the following POSIX

# file: Communities/HASS 
# owner: u101529 
# group: dl raes b isis css 
group::rwx              #effective:rwx 
group:sdmu:rwx          #effective:rwx 
group:housing:rwx               #effective:rwx 
group:dl just v cas:r-x         #effective:r-x 
group:dl just b cas hass:rwx            #effective:rwx 
default:group:dl just v cas:r-x 
default:group:dl just b cas hass:rwx 

Groups "dl raes b isis css", "dl just v cas" and "dl just b cas hass"
and user u101529 are from the domain, the other groups are native UNIX
ones. My understanding is that only the owner and members of sdmu,
housing, "dl raes b isis css" and "dl just b cas hass" should be able to
write to this directory and nobody in groups not listed in the ACLs
should even be able to open it. Native UNIX users and groups are still
bound by these permissions. 

This is doing my head in so any insights would be welcome! 


Top of Form 1

        unix charset = LOCALE 
        workgroup = OURDOMAIN 
        realm = OUR.REALM 
        server string = MC18UNXA 
        bind interfaces only = Yes 
        security = ADS 
        password server = dc.our.realm 
        ntlm auth = No 
        client NTLMv2 auth = Yes 
        log level = 3 
        log file = /usr/local/samba/var/log.%m 
        max log size = 100 
        domain master = No 
        idmap alloc backend = tdb 
        idmap uid = 70000-200000 
        idmap gid = 70000-200000 
        winbind use default domain = Yes 

        path = /testshare 
        read only = No 
        acl group control = Yes 
        inherit permissions = Yes 
        inherit acls = Yes 

Bottom of Form 1

Nigel Pain 
The Scottish Government 


This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s).  Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted.  If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.


Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes.  The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.


The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

More information about the samba mailing list