[Samba] Samba Folder Permissions

Tue Jan 3 10:43:51 MST 2012

Hi Aaron,
thanks for your reply. I already have the /home Partition mounted with 
ACL enabled. However I don't use ACL permissions for the described 
folders. If I would set permissions with setfacl I would just give the 
same permissions then with unix rights. I only need one group to have 
rwx access, nothing more. In other samba setups I used, that was never a 
problem, but those were no Domain setups...

Stefan

Am 03.01.2012 17:31, schrieb Aaron E.:
> Check your extended ACL permissions and verify that they are enabled for
> your kernel..
>
> On 01/03/2012 09:05 AM, Stefan Horning wrote:
>> Hello list members,
>> my name is Stefan, this is my first post to this Mailinglist, so please
>> bear with me. ;)
>> I am working as a Network Administrator of a small Office Network. We
>> use Debian Server as Samba PDC and Fileserver.
>> The Domain runs pretty well with all the Windows 7 Clients. I have just
>> one thing that bugs me.
>> In the groupshare we set up, users can only access folders that are
>> world readable, for some reason. As a temporary fix I put all users into
>> the Domain Admin group, so they can at least use the groupshare.
>>
>> But first of all you probably want to know the details. The Samba
>> Version is 3.5.6
>>
>> This is my smb.conf:
>> -----------------------------------------------------------------
>> [global]
>> netbios name = SCM-SRV-01
>> server string = Domain Server (%h)
>> workgroup = SCM
>> interfaces = eth1 eth2 eth3
>> bind interfaces only = yes
>> security = user
>> encrypt passwords = true
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>> local master = yes
>> preferred master = yes
>> os level = 200
>> domain master = yes
>> domain logons = yes
>> logon path = \\%L\%U\profile
>> logon drive = h:
>> logon script = login.bat
>> profile acls = yes
>> hide files =
>> /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/
>> hide dot files = yes
>> wins support = no
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>> socket options = TCP_NODELAY
>>
>> #======================= Share Definitions =======================
>>
>> [homes]
>> comment = Home Directories
>> browseable = no
>> valid users = %S
>> writeable = yes
>> create mode = 0600
>> directory mode = 0700
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /home/samba/netlogon
>> guest ok = yes
>> writeable = no
>> share modes = no
>>
>> [groups]
>> writable = yes
>> path = /home/groups
>> force group = users
>> comment = All group folders
>> create mode = 660
>> directory mode = 770
>> -----------------------------------------------------------------------
>>
>> Output of net groupmap list:
>>
>> Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users
>> Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests
>> Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) ->
>> domainadmin
>> -----------------------------------------------------------------------
>>
>> Like I said everyting works well, except the permissions in the share
>> [groups].
>>
>> All linux (and therefore domain) users are in the primary group users.
>> All the employees are in the group 'mitarbeiter'.
>>
>> So if I set /home/groups to
>> drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/
>> the share is not accessible. Eventhough alle users are in the group
>> users and should therefore be able to read that folder.
>> If I put users into the domainadmin group, group permissions work as
>> expected. All employees can access subfolders of groups which are
>> readable to mitarbeiter (but not others they have no permissions for)
>> and can also read the content of /home/groups. So the mapping of unix
>> groups from Windows7 works without problems.
>>
>> Folder permission in Samba can only be realized if I make folders world
>> readable, which is not what I want for all folders.
>>
>> After extensive internet research I could not figure out what I am doing
>> wrong. I also had similar samba setups where unix group permissions
>> always where correctly used in samba.
>>
>> I suspect it being a problem with domain groups and there mapping. I
>> also tried to create some samba Domain Groups and map them to the local
>> unix groups, which didn't make a difference either.
>>
>> So I hope anybody on this list knows what the problem is. I am happy to
>> give more information as needed!
>>
>>
>> Thanks,
>> Stefan Horning
>>
>>
>