[Samba] Samba Folder Permissions
L.P.H. van Belle
belle at bazuin.nl
Thu Jan 5 01:56:15 MST 2012
the try this,
[groups]
writable = yes
path = /home/groups
force group = users
comment = All group folders
create mode = 660
directory mode = 770
vfs object = acl_xattr
>-----Oorspronkelijk bericht-----
>Van: stefan at hornings.de [mailto:samba-bounces at lists.samba.org]
>Namens Stefan Horning
>Verzonden: 2012-01-03 15:06
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba Folder Permissions
>
>Hello list members,
>my name is Stefan, this is my first post to this Mailinglist,
>so please
>bear with me. ;)
>I am working as a Network Administrator of a small Office Network. We
>use Debian Server as Samba PDC and Fileserver.
>The Domain runs pretty well with all the Windows 7 Clients. I
>have just
>one thing that bugs me.
>In the groupshare we set up, users can only access folders that are
>world readable, for some reason. As a temporary fix I put all
>users into
>the Domain Admin group, so they can at least use the groupshare.
>
>But first of all you probably want to know the details. The Samba
>Version is 3.5.6
>
>This is my smb.conf:
>-----------------------------------------------------------------
>[global]
> netbios name = SCM-SRV-01
> server string = Domain Server (%h)
> workgroup = SCM
> interfaces = eth1 eth2 eth3
> bind interfaces only = yes
> security = user
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>*Retype\snew\sUNIX\spassword:* %n\n .
> local master = yes
> preferred master = yes
> os level = 200
> domain master = yes
> domain logons = yes
> logon path = \\%L\%U\profile
> logon drive = h:
> logon script = login.bat
> profile acls = yes
> hide files =
>/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/
> hide dot files = yes
> wins support = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> socket options = TCP_NODELAY
>
>#======================= Share Definitions =======================
>
>[homes]
> comment = Home Directories
> browseable = no
> valid users = %S
> writeable = yes
> create mode = 0600
> directory mode = 0700
>
>[netlogon]
> comment = Network Logon Service
> path = /home/samba/netlogon
> guest ok = yes
> writeable = no
> share modes = no
>
>[groups]
> writable = yes
> path = /home/groups
> force group = users
> comment = All group folders
> create mode = 660
> directory mode = 770
>-----------------------------------------------------------------------
>
>Output of net groupmap list:
>
>Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users
>Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests
>Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512)
>-> domainadmin
>-----------------------------------------------------------------------
>
>Like I said everyting works well, except the permissions in the share
>[groups].
>
>All linux (and therefore domain) users are in the primary group users.
>All the employees are in the group 'mitarbeiter'.
>
>So if I set /home/groups to
>drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/
>the share is not accessible. Eventhough alle users are in the group
>users and should therefore be able to read that folder.
>If I put users into the domainadmin group, group permissions work as
>expected. All employees can access subfolders of groups which are
>readable to mitarbeiter (but not others they have no permissions for)
>and can also read the content of /home/groups. So the mapping of unix
>groups from Windows7 works without problems.
>
>Folder permission in Samba can only be realized if I make
>folders world
>readable, which is not what I want for all folders.
>
>After extensive internet research I could not figure out what
>I am doing
>wrong. I also had similar samba setups where unix group permissions
>always where correctly used in samba.
>
>I suspect it being a problem with domain groups and there mapping. I
>also tried to create some samba Domain Groups and map them to
>the local
>unix groups, which didn't make a difference either.
>
>So I hope anybody on this list knows what the problem is. I am
>happy to
>give more information as needed!
>
>
>Thanks,
>Stefan Horning
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list