[Samba] Samba Folder Permissions

[Aaron E.]

Check your extended ACL permissions and verify that they are enabled for 
your kernel..

On 01/03/2012 09:05 AM, Stefan Horning wrote:
> Hello list members,
> my name is Stefan, this is my first post to this Mailinglist, so please
> bear with me. ;)
> I am working as a Network Administrator of a small Office Network. We
> use Debian Server as Samba PDC and Fileserver.
> The Domain runs pretty well with all the Windows 7 Clients. I have just
> one thing that bugs me.
> In the groupshare we set up, users can only access folders that are
> world readable, for some reason. As a temporary fix I put all users into
> the Domain Admin group, so they can at least use the groupshare.
>
> But first of all you probably want to know the details. The Samba
> Version is 3.5.6
>
> This is my smb.conf:
> -----------------------------------------------------------------
> [global]
> netbios name = SCM-SRV-01
> server string = Domain Server (%h)
> workgroup = SCM
> interfaces = eth1 eth2 eth3
> bind interfaces only = yes
> security = user
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> local master = yes
> preferred master = yes
> os level = 200
> domain master = yes
> domain logons = yes
> logon path = \\%L\%U\profile
> logon drive = h:
> logon script = login.bat
> profile acls = yes
> hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/
> hide dot files = yes
> wins support = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> socket options = TCP_NODELAY
>
> #======================= Share Definitions =======================
>
> [homes]
> comment = Home Directories
> browseable = no
> valid users = %S
> writeable = yes
> create mode = 0600
> directory mode = 0700
>
> [netlogon]
> comment = Network Logon Service
> path = /home/samba/netlogon
> guest ok = yes
> writeable = no
> share modes = no
>
> [groups]
> writable = yes
> path = /home/groups
> force group = users
> comment = All group folders
> create mode = 660
> directory mode = 770
> -----------------------------------------------------------------------
>
> Output of net groupmap list:
>
> Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users
> Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests
> Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) ->
> domainadmin
> -----------------------------------------------------------------------
>
> Like I said everyting works well, except the permissions in the share
> [groups].
>
> All linux (and therefore domain) users are in the primary group users.
> All the employees are in the group 'mitarbeiter'.
>
> So if I set /home/groups to
> drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/
> the share is not accessible. Eventhough alle users are in the group
> users and should therefore be able to read that folder.
> If I put users into the domainadmin group, group permissions work as
> expected. All employees can access subfolders of groups which are
> readable to mitarbeiter (but not others they have no permissions for)
> and can also read the content of /home/groups. So the mapping of unix
> groups from Windows7 works without problems.
>
> Folder permission in Samba can only be realized if I make folders world
> readable, which is not what I want for all folders.
>
> After extensive internet research I could not figure out what I am doing
> wrong. I also had similar samba setups where unix group permissions
> always where correctly used in samba.
>
> I suspect it being a problem with domain groups and there mapping. I
> also tried to create some samba Domain Groups and map them to the local
> unix groups, which didn't make a difference either.
>
> So I hope anybody on this list knows what the problem is. I am happy to
> give more information as needed!
>
>
> Thanks,
> Stefan Horning
>
>