[Samba] File share permissions act different on member server than on DC
steve at steve-ss.com
Mon Oct 14 00:43:26 MDT 2013
On Sun, 2013-10-13 at 22:31 +0200, Marc Muehlfeld wrote:
> a while ago I wrote the
> http://wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo.
> When I wrote the HowTo, I setup and configured the share on a DC - what
> still works like described. Today I tried the first time to do exactly
> the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work there.
> The share in smb.conf:
> path = /srv/samba/Demo
> read only = no
> The folder in the filesystem (XFS):
> drwxr-xr-x 2 root root 6 13. Okt 22:16 /srv/samba/Demo
> I connect to the share as Domain Admin, right-click to it and go to the
> "security" tab. Here I see now "everyone" and two "root" entries.
> - I click the "edit" button and remove the two "root" entries. When I
> click "apply", everything is reset (the two entries went back".
> - If i grant "modify" to "everyone" - where all "allow" entries are
> empty per default and click "apply", then all boxes are checked
> automatically (full access) and "CREATOR OWNER" and "CREATOR GROUP"
> appear. And this two can't be removed as well any more.
> If I do exactly the same on a DC, then already the security tab shows on
> the first time I open it very different settings. The wiki screenshot
> shows them:
> http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But
> the folder on Linux side is also just 755 (and without any extended ACLs
> when I begin). Also whatever I change (like remove "root" from the ACLs)
> everything is done like expected and saved.
> The member server is also self compiled. I installed all packages on my
> RHEL6 that I have installed on the DC too.
> Any idea what could be different on a 4.x member than on a DC? Or did I
> find a bug?
It looks like that on the DC, Administrator already has admin
permissions on the share (like root in Linux) but on a file server he
doesn't. You have to specify Administrator as an admin user or give him
full posix rights on the share using setfacl.
Summary.mAdministrator behaves as:
DC: like root on a Linux box
File server: a normal unprivileged domain user
I think the file server is correct. Windows doesn't have a user like
More information about the samba