[Samba] Can't get permission on a share to work problem with groups
rowlandpenny at googlemail.com
Sun Feb 9 07:29:29 MST 2014
On 09/02/14 10:48, Horace wrote:
> On 2014-02-09 05:19, Rowland Penny wrote:
>> On 24/01/14 21:05, Horace wrote:
>>> 1. I have created a directory /srv/samba4/Public Applications.
>>> 2. I created a group 'Domain Admins' with gid 1003
>> When you say that you created a group called 'Domain Admins', just how
>> did you create it? or do you mean that you added the gidNumber '1003'
>> to the already existing group in AD?
> I am referring to the UNIX group I created with 'groupadd' command and
> modified the Builtin AD group 'ACCOUNTSAD\Domain Admins' and changed
> the existing gidNumber to 1003. So AD Users that members of
> 'ACCOUNTSAD\Domain Admins' can write to the directory.
>>> 3. I setfacl -m group:1003:rwx on Public Applications
>>> 4. I created a share
>>> [Public Applications]
>>> read list = @ACCOUNTSAD\"Domain Users"
>>> write list = @"Domain Admins"
>>> comment = Public Applications
>>> path = /srv/samba4/Public Applications
>>> #admin users = @"Domain Admins"
>>> 5. wbinfo --group-info 'Domain Admins'
>>> ACCOUNTSAD\Domain Admins:*:1003:
>>> Debug level
>>> # Debug logging information
>>> #log level = 10
>>> log level = 3
>>> #log file = /var/log/samba.log.%m
>>> #max log size = 50
>>> debug timestamp = yes
>>> syslog only = yes
>>> As anyone can see, I like Domain Admins read write access and Domain
>>> Users read access only. For whatever reason, when I access the share
>>> \\PDC-S2\Public Applications and try to create a folder, I get
>>> Permission denied.
>>> I have tailed both syslog's and log.smbd and there is NO relevant
>>> information regarding why this is failing.
>>> Am I doing something wrong here ?
OK, The problem here is that you are dealing with an Active Directory
server, it would be better if you just used ACL's.
I personally wouldn't have mapped 'Domain Admins' to 'Domain Admins', in
fact I am surprised that you could create a unix Group with the same
name as a domain group, or did you create it before the join?
I would remove the local group 'Domain Admins' and create a new one,
perhaps 'dom_admins', I would not use one with a space in the name, unix
doesn't like spaces ;-)
Also if you are using the standard mappings, 'Domain Users' is mapped to
the local group 'users' or gid '100'
What I would here is, alter smb.conf to this:
comment = Public Applications
path = /path/to/Public_Applications
read only = no
setfacl -dm group:<gid of dom_admins>:rwx /path/to/Public_Applications
setfacl -dm group:100:r-x /path/to/Public_Applications
This should get you the results that you require, only members of
'Domain Admins' can create files & folders, but members of 'Domain
Users' can read them.
More information about the samba