[Samba] Samba Folder Permissions

Dale Schroeder dale at BriannasSaladDressing.com
Tue Jan 3 13:40:12 MST 2012 

Stefan,

I'm not certain as to the cause of your problem, but as a test, try 
adding to [global] ==> "map untrusted to domain = Yes" to see if there 
is any improvement.

Do you need "force group = users"?  If uncertain, try turning it off.  
To satisfy my curiosity, what is the output of "getfacl /home/groups"?

Dale


On 01/03/2012 11:43 AM, Stefan Horning wrote:
> Hi Aaron,
> thanks for your reply. I already have the /home Partition mounted with 
> ACL enabled. However I don't use ACL permissions for the described 
> folders. If I would set permissions with setfacl I would just give the 
> same permissions then with unix rights. I only need one group to have 
> rwx access, nothing more. In other samba setups I used, that was never 
> a problem, but those were no Domain setups...
>
> Stefan
>
>
> Am 03.01.2012 17:31, schrieb Aaron E.:
>> Check your extended ACL permissions and verify that they are enabled for
>> your kernel..
>>
>> On 01/03/2012 09:05 AM, Stefan Horning wrote:
>>> Hello list members,
>>> my name is Stefan, this is my first post to this Mailinglist, so please
>>> bear with me. ;)
>>> I am working as a Network Administrator of a small Office Network. We
>>> use Debian Server as Samba PDC and Fileserver.
>>> The Domain runs pretty well with all the Windows 7 Clients. I have just
>>> one thing that bugs me.
>>> In the groupshare we set up, users can only access folders that are
>>> world readable, for some reason. As a temporary fix I put all users 
>>> into
>>> the Domain Admin group, so they can at least use the groupshare.
>>>
>>> But first of all you probably want to know the details. The Samba
>>> Version is 3.5.6
>>>
>>> This is my smb.conf:
>>> -----------------------------------------------------------------
>>> [global]
>>> netbios name = SCM-SRV-01
>>> server string = Domain Server (%h)
>>> workgroup = SCM
>>> interfaces = eth1 eth2 eth3
>>> bind interfaces only = yes
>>> security = user
>>> encrypt passwords = true
>>> passdb backend = tdbsam
>>> obey pam restrictions = yes
>>> unix password sync = yes
>>> passwd program = /usr/bin/passwd %u
>>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>> *Retype\snew\sUNIX\spassword:* %n\n .
>>> local master = yes
>>> preferred master = yes
>>> os level = 200
>>> domain master = yes
>>> domain logons = yes
>>> logon path = \\%L\%U\profile
>>> logon drive = h:
>>> logon script = login.bat
>>> profile acls = yes
>>> hide files =
>>> /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/
>>> hide dot files = yes
>>> wins support = no
>>> log file = /var/log/samba/log.%m
>>> max log size = 1000
>>> syslog = 0
>>> panic action = /usr/share/samba/panic-action %d
>>> socket options = TCP_NODELAY
>>>
>>> #======================= Share Definitions =======================
>>>
>>> [homes]
>>> comment = Home Directories
>>> browseable = no
>>> valid users = %S
>>> writeable = yes
>>> create mode = 0600
>>> directory mode = 0700
>>>
>>> [netlogon]
>>> comment = Network Logon Service
>>> path = /home/samba/netlogon
>>> guest ok = yes
>>> writeable = no
>>> share modes = no
>>>
>>> [groups]
>>> writable = yes
>>> path = /home/groups
>>> force group = users
>>> comment = All group folders
>>> create mode = 660
>>> directory mode = 770
>>> -----------------------------------------------------------------------
>>>
>>> Output of net groupmap list:
>>>
>>> Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users
>>> Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests
>>> Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) ->
>>> domainadmin
>>> -----------------------------------------------------------------------
>>>
>>> Like I said everyting works well, except the permissions in the share
>>> [groups].
>>>
>>> All linux (and therefore domain) users are in the primary group users.
>>> All the employees are in the group 'mitarbeiter'.
>>>
>>> So if I set /home/groups to
>>> drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/
>>> the share is not accessible. Eventhough alle users are in the group
>>> users and should therefore be able to read that folder.
>>> If I put users into the domainadmin group, group permissions work as
>>> expected. All employees can access subfolders of groups which are
>>> readable to mitarbeiter (but not others they have no permissions for)
>>> and can also read the content of /home/groups. So the mapping of unix
>>> groups from Windows7 works without problems.
>>>
>>> Folder permission in Samba can only be realized if I make folders world
>>> readable, which is not what I want for all folders.
>>>
>>> After extensive internet research I could not figure out what I am 
>>> doing
>>> wrong. I also had similar samba setups where unix group permissions
>>> always where correctly used in samba.
>>>
>>> I suspect it being a problem with domain groups and there mapping. I
>>> also tried to create some samba Domain Groups and map them to the local
>>> unix groups, which didn't make a difference either.
>>>
>>> So I hope anybody on this list knows what the problem is. I am happy to
>>> give more information as needed!
>>>
>>>
>>> Thanks,
>>> Stefan Horning
>>>
>>>
>>
>

More information about the samba mailing list