[Samba] Can't get permission on a share to work problem with groups
Horace
mailinglist at lhplan.tk
Sun Feb 9 08:38:25 MST 2014
On 2014-02-09 09:29, Rowland Penny wrote:
> On 09/02/14 10:48, Horace wrote:
>> On 2014-02-09 05:19, Rowland Penny wrote:
>>> On 24/01/14 21:05, Horace wrote:
>>>> Hello,
>>>>
>>>> 1. I have created a directory /srv/samba4/Public Applications.
>>>> 2. I created a group 'Domain Admins' with gid 1003
>>> When you say that you created a group called 'Domain Admins', just
>>> how
>>> did you create it? or do you mean that you added the gidNumber '1003'
>>> to the already existing group in AD?
>>>
>>> Rowland
>>>
>> I am referring to the UNIX group I created with 'groupadd' command and
>> modified the Builtin AD group 'ACCOUNTSAD\Domain Admins' and changed
>> the existing gidNumber to 1003. So AD Users that members of
>> 'ACCOUNTSAD\Domain Admins' can write to the directory.
>>>> 3. I setfacl -m group:1003:rwx on Public Applications
>>>> 4. I created a share
>>>> [Public Applications]
>>>> read list = @ACCOUNTSAD\"Domain Users"
>>>> write list = @"Domain Admins"
>>>> comment = Public Applications
>>>> path = /srv/samba4/Public Applications
>>>> #admin users = @"Domain Admins"
>>>> 5. wbinfo --group-info 'Domain Admins'
>>>> ACCOUNTSAD\Domain Admins:*:1003:
>>>>
>>>> Debug level
>>>> # Debug logging information
>>>> #log level = 10
>>>> log level = 3
>>>> #log file = /var/log/samba.log.%m
>>>> #max log size = 50
>>>> debug timestamp = yes
>>>> syslog only = yes
>>>>
>>>>
>>>> As anyone can see, I like Domain Admins read write access and Domain
>>>> Users read access only. For whatever reason, when I access the share
>>>> \\PDC-S2\Public Applications and try to create a folder, I get
>>>> Permission denied.
>>>>
>>>> I have tailed both syslog's and log.smbd and there is NO relevant
>>>> information regarding why this is failing.
>>>>
>>>> Am I doing something wrong here ?
> OK, The problem here is that you are dealing with an Active Directory
> server, it would be better if you just used ACL's.
>
> I personally wouldn't have mapped 'Domain Admins' to 'Domain Admins',
> in fact I am surprised that you could create a unix Group with the
> same name as a domain group, or did you create it before the join?
>
> I would remove the local group 'Domain Admins' and create a new one,
> perhaps 'dom_admins', I would not use one with a space in the name,
> unix doesn't like spaces ;-)
>
> Also if you are using the standard mappings, 'Domain Users' is mapped
> to the local group 'users' or gid '100'
>
> What I would here is, alter smb.conf to this:
>
> [Public_Applications]
> comment = Public Applications
> path = /path/to/Public_Applications
> read only = no
>
> Then:
>
> setfacl -dm group:<gid of dom_admins>:rwx /path/to/Public_Applications
>
> setfacl -dm group:100:r-x /path/to/Public_Applications
>
> This should get you the results that you require, only members of
> 'Domain Admins' can create files & folders, but members of 'Domain
> Users' can read them.
>
> Rowland
This is a much simpler way of doing this. Anyhow, I ran into a slight
problem, although I can write into Public_Applications but unfortunate
the smbd process writes creates files/folders with uid 300000 and gid
100 ? 300000 is mapped to Administrators which is awkward ? Why isn't it
using the login name? Is this default behavior when you don't specific
'valid users'?
More information about the samba
mailing list