[Samba] Samba Folder Permissions

Stefan Horning stefan at hornings.de
Tue Jan 3 07:05:41 MST 2012

Hello list members,
my name is Stefan, this is my first post to this Mailinglist, so please 
bear with me. ;)
I am working as a Network Administrator of a small Office Network. We 
use Debian Server as Samba PDC and Fileserver.
The Domain runs pretty well with all the Windows 7 Clients. I have just 
one thing that bugs me.
In the groupshare we set up, users can only access folders that are 
world readable, for some reason. As a temporary fix I put all users into 
the Domain Admin group, so they can at least use the groupshare.

But first of all you probably want to know the details. The Samba 
Version is 3.5.6

This is my smb.conf:
    netbios name = SCM-SRV-01
    server string = Domain Server (%h)
    workgroup = SCM
    interfaces = eth1 eth2 eth3
    bind interfaces only = yes
    security = user
    encrypt passwords = true
    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
    local master = yes
    preferred master = yes
    os level = 200
    domain master = yes
    domain logons = yes
    logon path = \\%L\%U\profile
    logon drive = h:
    logon script = login.bat
    profile acls = yes
    hide files = 
    hide dot files = yes
    wins support = no
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    socket options = TCP_NODELAY

#======================= Share Definitions =======================

    comment = Home Directories
    browseable = no
    valid users = %S
    writeable = yes
    create mode = 0600
    directory mode = 0700

    comment = Network Logon Service
    path = /home/samba/netlogon
    guest ok = yes
    writeable = no
    share modes = no

    writable = yes
    path = /home/groups
    force group = users
    comment = All group folders
    create mode = 660
    directory mode = 770

Output of net groupmap list:

Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users
Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests
Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) -> domainadmin

Like I said everyting works well, except the permissions in the share 

All linux (and therefore domain) users are in the primary group users. 
All the employees are in the group 'mitarbeiter'.

So if I set /home/groups to
drwxr-x-- 11 root users 4096  2. Jan 13:08 groups/
the share is not accessible. Eventhough alle users are in the group 
users and should therefore be able to read that folder.
If I put users into the domainadmin group, group permissions work as 
expected. All employees can access subfolders of groups which are 
readable to mitarbeiter (but not others they have no permissions for) 
and can also read the content of /home/groups. So the mapping of unix 
groups from Windows7 works without problems.

Folder permission in Samba can only be realized if I make folders world 
readable, which is not what I want for all folders.

After extensive internet research I could not figure out what I am doing 
wrong. I also had similar samba setups where unix group permissions 
always where correctly used in samba.

I suspect it being a problem with domain groups and there mapping. I 
also tried to create some samba Domain Groups and map them to the local 
unix groups, which didn't make a difference either.

So I hope anybody on this list knows what the problem is. I am happy to 
give more information as needed!

Stefan Horning

More information about the samba mailing list