[Samba] Samba on FreeNAS permissions

Alex Ferrara alex at receptiveit.com.au
Tue Jan 3 14:46:17 MST 2012

Hi list,

I am having a weird issue with samba as included with FreeNAS 8.0.2.

All my users are in LDAP, and the local server can see and authenticate LDAP users via other mechanisms like SSH. When I log into this FreeNAS machine via SSH, the server understands group permissions and all works as expected.

The filesystem that the share is on is ZFS and FreeNAS is based on FreeBSD.

My issue is, when I mount a CIFS share from a Windows workstation to the FreeNAS Samba server, secondary group permissions are not honoured.

In a bit more detail. I have a user in LDAP called alex.ferrara with the primary group of "Domain Users" and I can mount CIFS shares just fine. The main CIFS share destination directory is set to mode 2775 with the owner "root" and group "Domain Users". My user can create files as you would expect. So far so good.

The problem comes in when I have a directory underneath the main share that is owned by "root" and group "Domain Admins". My user is a member of the domain admins group and I can create files if I log in via SSH, but when I access the same directory via CIFS, I get the message "You need permission to perform this action".

The version of Samba is 3.5.11 and my config file is included below.

  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  read raw = yes
  write raw = yes
  oplocks = yes
  max xmit = 65535
  deadtime = 15
  display charset = LOCALE
  max log size = 10
  syslog only = yes
  syslog = yes
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  smb passwd file = /var/etc/private/smbpasswd
  private dir = /var/etc/private
  getwd cache = yes
  guest account = nobody
  map to guest = Bad Password
  netbios name = server
  workgroup = DOMAIN
  server string = FreeNAS Server
  use sendfile = yes
  large readwrite = no
  store dos attributes = yes
  security = user
  passdb backend = ldapsam:ldap://
  ldap admin dn = cn=admin,dc=domain
  ldap suffix = dc=domain
  ldap user suffix = ou=users
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap ssl = off
  ldap replication sleep = 1000
  ldap passwd sync = yes
  #ldap debug level = 1
  #ldap debug threshold = 1
  ldapsam:trusted = yes
  idmap uid = 10000-39999
  idmap gid = 10000-39999
  create mask = 0664
  directory mask = 0775
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 3
  aio read size = 1
  aio write size = 1

  path = /mnt/data/share
  printable = no
  veto files = /.snap/.windows/
  writeable = yes
  browseable = yes
  inherit owner = yes
  inherit permissions = yes
  vfs objects = zfsacl recycle
  recycle:repository = .recycle/%U
  recycle:keeptree = yes
  recycle:versions = yes
  recycle:touch = yes
  recycle:directory_mode = 0777
  recycle:subdir_mode = 0700
  inherit acls = Yes
  map archive = No
  map readonly = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = yes

Alex Ferrara
Receptive IT Solutions

P 0403 604 604
F (02) 4822 7700
E alex at receptiveit.com.au
W www.receptiveit.com.au

More information about the samba mailing list