[Samba] Samba Folder Permissions
Stefan Horning
stefan at hornings.de
Tue Jan 3 07:05:41 MST 2012
Hello list members,
my name is Stefan, this is my first post to this Mailinglist, so please
bear with me. ;)
I am working as a Network Administrator of a small Office Network. We
use Debian Server as Samba PDC and Fileserver.
The Domain runs pretty well with all the Windows 7 Clients. I have just
one thing that bugs me.
In the groupshare we set up, users can only access folders that are
world readable, for some reason. As a temporary fix I put all users into
the Domain Admin group, so they can at least use the groupshare.
But first of all you probably want to know the details. The Samba
Version is 3.5.6
This is my smb.conf:
-----------------------------------------------------------------
[global]
netbios name = SCM-SRV-01
server string = Domain Server (%h)
workgroup = SCM
interfaces = eth1 eth2 eth3
bind interfaces only = yes
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
local master = yes
preferred master = yes
os level = 200
domain master = yes
domain logons = yes
logon path = \\%L\%U\profile
logon drive = h:
logon script = login.bat
profile acls = yes
hide files =
/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/
hide dot files = yes
wins support = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
socket options = TCP_NODELAY
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
valid users = %S
writeable = yes
create mode = 0600
directory mode = 0700
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writeable = no
share modes = no
[groups]
writable = yes
path = /home/groups
force group = users
comment = All group folders
create mode = 660
directory mode = 770
-----------------------------------------------------------------------
Output of net groupmap list:
Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users
Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests
Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) -> domainadmin
-----------------------------------------------------------------------
Like I said everyting works well, except the permissions in the share
[groups].
All linux (and therefore domain) users are in the primary group users.
All the employees are in the group 'mitarbeiter'.
So if I set /home/groups to
drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/
the share is not accessible. Eventhough alle users are in the group
users and should therefore be able to read that folder.
If I put users into the domainadmin group, group permissions work as
expected. All employees can access subfolders of groups which are
readable to mitarbeiter (but not others they have no permissions for)
and can also read the content of /home/groups. So the mapping of unix
groups from Windows7 works without problems.
Folder permission in Samba can only be realized if I make folders world
readable, which is not what I want for all folders.
After extensive internet research I could not figure out what I am doing
wrong. I also had similar samba setups where unix group permissions
always where correctly used in samba.
I suspect it being a problem with domain groups and there mapping. I
also tried to create some samba Domain Groups and map them to the local
unix groups, which didn't make a difference either.
So I hope anybody on this list knows what the problem is. I am happy to
give more information as needed!
Thanks,
Stefan Horning
More information about the samba
mailing list