[Samba] member server and groups
mray at xes-inc.com
Thu Apr 4 08:48:32 MDT 2013
When running a samba 3 member server joined to a samba AD with winbind, we were having some issues with ACLs over CIFS mounts. If you are noticing issues with CIFS mounts, then something to keep in mind that I only found out after quite some time, is that permissions over mounts work as the logical AND of basic unix permissions and ACLs. That is if your user would be denied by the basic unix permissions, ACLs are never checked. However, if you get the greenlight from basic permissions, it then contacts the server and does the ACL checks.
The reason that you are noticing no issue when you chgrp it to Domain Users is that at that point your domain users pass on the unix permissions. Without them owning (say the file/dir is root/root) then they fall to the last octal, the 'other' portion of file permissions.
So what I'd try is chmod 777 the file/dir and then adding ACLs on top of that to restrict access.
Hope that helps,
----- Original Message -----
From: "Neil Price" <nprice at gibb.co.za>
To: samba at lists.samba.org
Sent: Thursday, April 4, 2013 8:42:06 AM
Subject: [Samba] member server and groups
I have a samba 3 member server joined to a samba pdc using ldap. Join is OK.
Version is from debian wheezy: 3.6.6
With servers that are bdc's I have no problems with authentication, with
the member server I cannot get group file permissions to work.
User file permissions work fine
Samba share user and group permissions work fine
getent group shows expected groups with correct gid, which is an
improvement on the 3.5.4 that I tried before.
Only thing interesting the logs show is access denied.
BUT if I change the dir/file permission to domain users group THEN it
So I think samba is only looking up the primary group. I know there was
bug like this somewhere around 3.6.0
Is "net idmap secret alloc" no longer needed? It responds with "The only
currently supported backend is LDAP". smbpasswd -w seemed to do all I
Critical parts of my smb.conf
I'm using the nss_ldap method with nss-ldapd
security = domain
workgroup = DOMAIN
ldap admin dn = cn=System Administrator,ou=people,dc=domain,dc=com
ldap suffix = dc=domain,dc=com
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=winstations,ou=systems
ldap ssl = Off
idmap config DOMAIN : backend = ldap
idmap config DOMAIN : range = 80000-99000
idmap config DOMAIN : ldap_url = ldap://my.ldap.serverl/
winbind use default domain = yes
path = /home/shares/comp
inherit permissions = yes
public = no
browsable = yes
writeable = yes
valid users = @computer
drwxrwx--- 19 root computer 4096 Jan 18 15:25 comp
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns wins
# The user and group nslcd should run as.
# The location at which the LDAP server(s) should be reachable.
# The search base that will be used for all queries.
# The LDAP protocol version to use.
# SSL options
# The search scope.
To unsubscribe from this list go to the following URL and read the
More information about the samba