[Samba] force group + acls

Mike Kelly mike at piratehaven.org
Fri Jul 13 19:57:51 MDT 2012

Hi everyone,

So I'm trying to copy files from a windows share to a samba share.  I'm
using robocopy to mirror file files a permissions, but I've recently hit
a little problem with the interaction of permissions, and I'm not sure
how to fix it.

What's happening is that after a file is copied, it's permissions are
updated.  What I end up with is Domain Users (the default group) is
assigned to the file with no permissions, and the builtin Users group is
assigned, via ACLs, with full permissions.  Of course, the problem is
that the builtin Users group actually contains the Domain Users group,
so I end up with a case of Domain Users being unable to access the file.

Now, in an ideal world, unix filesystems would implement ACLs in a way
that isn't a kludgey bolt-on feature, but since it is, I'd like samba to
help me work around it and set the unix group to something which will
then be ignored when reporting file permissions back to Windows.  I
thought that I found this feature in the force group command, but I was

Force group sounds exactly like what I want.  I want samba to assign a
default group, e.g. "root", to all of my files, and then add and modify
additional groups via the ACL system.  This would prevent the wackiness
I'm seeing, and get ACLs working properly.  However, what ends up
happening in this case is that the file is created as me, with the
default group set to "root" (yay!), then the permissions are "fixed",
and the owner is set to "root" and the group is set to "Domain Users".
This seems a bit strange to me because "Domain Users" is not mentioned
in the Windows ACLs at all, so it makes me wonder:
  a) Why is the group being set to "Domain Users" at all?
  b) Why isn't the group still forced to "root" as I asked?

One option I've considered is messing with the various mode bits.  I
could, for example, ensure that the default group always had full
permissions (or at least read-only permissions), but that changes
the problem because now I am granting permissions where there were none

I'm using samba version 3.6.3, on Ubuntu 12.04.

Here is my config:
        log level = 3
        server string = samba
        netbios name = samba
        interfaces =
        security = ads
        realm = DOMAIN.COM
        workgroup = DOMAIN
        # I want to see the domain name as part of the user name:
        winbind use default domain = no
        winbind separator = +
        # From here we configure the idmaps
        idmap config * : backend = tdb
        idmap config * : range = 5000-6000
        idmap config DOMAIN: default = yes
        idmap config DOMAIN: backend = rid
        idmap config DOMAIN: range = 100000-2000000000
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = Yes
        # how many nested groups to traverse:
        winbind expand groups = 10
        client use spnego = yes
        encrypt passwords = true
        restrict anonymous = 2
        # Windows doesn't have this restriction, so neigther do we:
        hide dot files = no
        # Use extended ACL attributes to store windows permissions:
        vfs objects = acl_xattr
        ea support = yes
        map acl inherit = yes
        store dos attributes = yes
        map hidden = no
        map system = no
        map archive = no
        map readonly = no
        # Just to be safe:
        invalid users = root
        # Reccommended for ADS security mode:
        #name resolve order = wins bcast
        template homedir = /srv/Homes/%D/%U
        template shell = /bin/false
        unix extensions = no
        # Allocate file blocks at creation time (no sparse files), helps
        # with quotas.
        strict allocate = yes
        allocation roundup size = 1024

        path = /srv/Share
        writable = yes
        admin users = DOMAIN+mike
        #force group = root
        #force directory security mode = 0070

Please let me know if I can provide more information.



--------Mike at PirateHaven.org-----------------------The_glass_is_too_big--------

More information about the samba mailing list