[Samba] Can't get permission on a share to work problem with groups

Rowland Penny rowlandpenny at googlemail.com
Sun Feb 9 07:29:29 MST 2014 

On 09/02/14 10:48, Horace wrote:
> On 2014-02-09 05:19, Rowland Penny wrote:
>> On 24/01/14 21:05, Horace wrote:
>>> Hello,
>>>
>>> 1. I have created a directory /srv/samba4/Public Applications.
>>> 2. I created a group 'Domain Admins' with gid 1003
>> When you say that you created a group called 'Domain Admins', just how
>> did you create it? or do you mean that you added the gidNumber '1003'
>> to the already existing group in AD?
>>
>> Rowland
>>
> I am referring to the UNIX group I created with 'groupadd' command and 
> modified the Builtin AD group 'ACCOUNTSAD\Domain Admins' and changed 
> the existing gidNumber to 1003. So AD Users that members of 
> 'ACCOUNTSAD\Domain Admins' can write to the directory.
>>> 3. I setfacl -m group:1003:rwx on Public Applications
>>> 4. I created a share
>>> [Public Applications]
>>>     read list = @ACCOUNTSAD\"Domain Users"
>>>     write list = @"Domain Admins"
>>>     comment = Public Applications
>>>     path = /srv/samba4/Public Applications
>>>     #admin users = @"Domain Admins"
>>> 5. wbinfo --group-info 'Domain Admins'
>>> ACCOUNTSAD\Domain Admins:*:1003:
>>>
>>> Debug level
>>> # Debug logging information
>>> #log level = 10
>>> log level = 3
>>> #log file = /var/log/samba.log.%m
>>> #max log size = 50
>>> debug timestamp = yes
>>> syslog only = yes
>>>
>>>
>>> As anyone can see, I like Domain Admins read write access and Domain 
>>> Users read access only. For whatever reason, when I access the share 
>>> \\PDC-S2\Public Applications and try to create a folder, I get 
>>> Permission denied.
>>>
>>> I have tailed both syslog's and log.smbd and there is NO relevant 
>>> information regarding why this is failing.
>>>
>>> Am I doing something wrong here ?
OK, The problem here is that you are dealing with an Active Directory 
server, it would be better if you just used ACL's.

I personally wouldn't have mapped 'Domain Admins' to 'Domain Admins', in 
fact I am surprised that you could create a unix Group with the same 
name as a domain group, or did you create it before the join?

I would remove the local group 'Domain Admins' and create a new one, 
perhaps 'dom_admins', I would not use one with a space in the name, unix 
doesn't like spaces ;-)

Also if you are using the standard mappings, 'Domain Users' is mapped to 
the local group 'users' or gid '100'

What I would here is, alter smb.conf to this:

[Public_Applications]
     comment = Public Applications
     path = /path/to/Public_Applications
     read only = no

Then:

setfacl -dm group:<gid of dom_admins>:rwx /path/to/Public_Applications

setfacl -dm group:100:r-x /path/to/Public_Applications

This should get you the results that you require, only members of 
'Domain Admins' can create files & folders, but members of 'Domain 
Users' can read them.

Rowland

More information about the samba mailing list