[Samba] force group + acls
Mike Kelly
mike at piratehaven.org
Fri Jul 13 19:57:51 MDT 2012
Hi everyone,
So I'm trying to copy files from a windows share to a samba share. I'm
using robocopy to mirror file files a permissions, but I've recently hit
a little problem with the interaction of permissions, and I'm not sure
how to fix it.
What's happening is that after a file is copied, it's permissions are
updated. What I end up with is Domain Users (the default group) is
assigned to the file with no permissions, and the builtin Users group is
assigned, via ACLs, with full permissions. Of course, the problem is
that the builtin Users group actually contains the Domain Users group,
so I end up with a case of Domain Users being unable to access the file.
Now, in an ideal world, unix filesystems would implement ACLs in a way
that isn't a kludgey bolt-on feature, but since it is, I'd like samba to
help me work around it and set the unix group to something which will
then be ignored when reporting file permissions back to Windows. I
thought that I found this feature in the force group command, but I was
wrong.
Force group sounds exactly like what I want. I want samba to assign a
default group, e.g. "root", to all of my files, and then add and modify
additional groups via the ACL system. This would prevent the wackiness
I'm seeing, and get ACLs working properly. However, what ends up
happening in this case is that the file is created as me, with the
default group set to "root" (yay!), then the permissions are "fixed",
and the owner is set to "root" and the group is set to "Domain Users".
This seems a bit strange to me because "Domain Users" is not mentioned
in the Windows ACLs at all, so it makes me wonder:
a) Why is the group being set to "Domain Users" at all?
b) Why isn't the group still forced to "root" as I asked?
One option I've considered is messing with the various mode bits. I
could, for example, ensure that the default group always had full
permissions (or at least read-only permissions), but that changes
the problem because now I am granting permissions where there were none
before.
I'm using samba version 3.6.3, on Ubuntu 12.04.
Here is my config:
======================
[global]
log level = 3
server string = samba
netbios name = samba
interfaces = 10.0.0.36
security = ads
realm = DOMAIN.COM
workgroup = DOMAIN
# I want to see the domain name as part of the user name:
winbind use default domain = no
winbind separator = +
# From here we configure the idmaps
idmap config * : backend = tdb
idmap config * : range = 5000-6000
idmap config DOMAIN: default = yes
idmap config DOMAIN: backend = rid
idmap config DOMAIN: range = 100000-2000000000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
# how many nested groups to traverse:
winbind expand groups = 10
client use spnego = yes
encrypt passwords = true
restrict anonymous = 2
# Windows doesn't have this restriction, so neigther do we:
hide dot files = no
# Use extended ACL attributes to store windows permissions:
vfs objects = acl_xattr
ea support = yes
map acl inherit = yes
store dos attributes = yes
map hidden = no
map system = no
map archive = no
map readonly = no
# Just to be safe:
invalid users = root
# Reccommended for ADS security mode:
#name resolve order = wins bcast
template homedir = /srv/Homes/%D/%U
template shell = /bin/false
unix extensions = no
# Allocate file blocks at creation time (no sparse files), helps
# with quotas.
strict allocate = yes
allocation roundup size = 1024
[Share]
path = /srv/Share
writable = yes
admin users = DOMAIN+mike
#force group = root
#force directory security mode = 0070
======================
Please let me know if I can provide more information.
Thanks,
Mike
(:
--
--------Mike at PirateHaven.org-----------------------The_glass_is_too_big--------
More information about the samba
mailing list