[Samba] Samba on FreeNAS permissions
Alex Ferrara
alex at receptiveit.com.au
Tue Jan 3 14:46:17 MST 2012
Hi list,
I am having a weird issue with samba as included with FreeNAS 8.0.2.
All my users are in LDAP, and the local server can see and authenticate LDAP users via other mechanisms like SSH. When I log into this FreeNAS machine via SSH, the server understands group permissions and all works as expected.
The filesystem that the share is on is ZFS and FreeNAS is based on FreeBSD.
My issue is, when I mount a CIFS share from a Windows workstation to the FreeNAS Samba server, secondary group permissions are not honoured.
In a bit more detail. I have a user in LDAP called alex.ferrara with the primary group of "Domain Users" and I can mount CIFS shares just fine. The main CIFS share destination directory is set to mode 2775 with the owner "root" and group "Domain Users". My user can create files as you would expect. So far so good.
The problem comes in when I have a directory underneath the main share that is owned by "root" and group "Domain Admins". My user is a member of the domain admins group and I can create files if I log in via SSH, but when I access the same directory via CIFS, I get the message "You need permission to perform this action".
The version of Samba is 3.5.11 and my config file is included below.
[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
getwd cache = yes
guest account = nobody
map to guest = Bad Password
netbios name = server
workgroup = DOMAIN
server string = FreeNAS Server
use sendfile = yes
large readwrite = no
store dos attributes = yes
security = user
passdb backend = ldapsam:ldap://10.16.0.10
ldap admin dn = cn=admin,dc=domain
ldap suffix = dc=domain
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
#ldap debug level = 1
#ldap debug threshold = 1
ldapsam:trusted = yes
idmap uid = 10000-39999
idmap gid = 10000-39999
create mask = 0664
directory mask = 0775
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 3
aio read size = 1
aio write size = 1
[share]
path = /mnt/data/share
printable = no
veto files = /.snap/.windows/
writeable = yes
browseable = yes
inherit owner = yes
inherit permissions = yes
vfs objects = zfsacl recycle
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
Alex Ferrara
Director
Receptive IT Solutions
P 0403 604 604
F (02) 4822 7700
E alex at receptiveit.com.au
W www.receptiveit.com.au
More information about the samba
mailing list