[Samba] Can't get permission on a share to work problem with groups

Rowland Penny rowlandpenny at googlemail.com
Sun Feb 9 09:09:13 MST 2014


On 09/02/14 15:38, Horace wrote:
> On 2014-02-09 09:29, Rowland Penny wrote:
>> On 09/02/14 10:48, Horace wrote:
>>> On 2014-02-09 05:19, Rowland Penny wrote:
>>>> On 24/01/14 21:05, Horace wrote:
>>>>> Hello,
>>>>>
>>>>> 1. I have created a directory /srv/samba4/Public Applications.
>>>>> 2. I created a group 'Domain Admins' with gid 1003
>>>> When you say that you created a group called 'Domain Admins', just how
>>>> did you create it? or do you mean that you added the gidNumber '1003'
>>>> to the already existing group in AD?
>>>>
>>>> Rowland
>>>>
>>> I am referring to the UNIX group I created with 'groupadd' command 
>>> and modified the Builtin AD group 'ACCOUNTSAD\Domain Admins' and 
>>> changed the existing gidNumber to 1003. So AD Users that members of 
>>> 'ACCOUNTSAD\Domain Admins' can write to the directory.
>>>>> 3. I setfacl -m group:1003:rwx on Public Applications
>>>>> 4. I created a share
>>>>> [Public Applications]
>>>>>     read list = @ACCOUNTSAD\"Domain Users"
>>>>>     write list = @"Domain Admins"
>>>>>     comment = Public Applications
>>>>>     path = /srv/samba4/Public Applications
>>>>>     #admin users = @"Domain Admins"
>>>>> 5. wbinfo --group-info 'Domain Admins'
>>>>> ACCOUNTSAD\Domain Admins:*:1003:
>>>>>
>>>>> Debug level
>>>>> # Debug logging information
>>>>> #log level = 10
>>>>> log level = 3
>>>>> #log file = /var/log/samba.log.%m
>>>>> #max log size = 50
>>>>> debug timestamp = yes
>>>>> syslog only = yes
>>>>>
>>>>>
>>>>> As anyone can see, I like Domain Admins read write access and 
>>>>> Domain Users read access only. For whatever reason, when I access 
>>>>> the share \\PDC-S2\Public Applications and try to create a folder, 
>>>>> I get Permission denied.
>>>>>
>>>>> I have tailed both syslog's and log.smbd and there is NO relevant 
>>>>> information regarding why this is failing.
>>>>>
>>>>> Am I doing something wrong here ?
>> OK, The problem here is that you are dealing with an Active Directory
>> server, it would be better if you just used ACL's.
>>
>> I personally wouldn't have mapped 'Domain Admins' to 'Domain Admins',
>> in fact I am surprised that you could create a unix Group with the
>> same name as a domain group, or did you create it before the join?
>>
>> I would remove the local group 'Domain Admins' and create a new one,
>> perhaps 'dom_admins', I would not use one with a space in the name,
>> unix doesn't like spaces ;-)
>>
>> Also if you are using the standard mappings, 'Domain Users' is mapped
>> to the local group 'users' or gid '100'
>>
>> What I would here is, alter smb.conf to this:
>>
>> [Public_Applications]
>>     comment = Public Applications
>>     path = /path/to/Public_Applications
>>     read only = no
>>
>> Then:
>>
>> setfacl -dm group:<gid of dom_admins>:rwx /path/to/Public_Applications
>>
>> setfacl -dm group:100:r-x /path/to/Public_Applications
>>
>> This should get you the results that you require, only members of
>> 'Domain Admins' can create files & folders, but members of 'Domain
>> Users' can read them.
>>
>> Rowland
>
> This is a much simpler way of doing this. Anyhow, I ran into a slight 
> problem, although I can write into Public_Applications but unfortunate 
> the smbd process writes creates files/folders with uid 300000 and gid 
> 100 ? 300000 is mapped to Administrators which is awkward ? Why isn't 
> it using the login name? Is this default behavior when you don't 
> specific 'valid users'?

You wanted anybody in the 'Domain Admins' group to be able to write to a 
dir, but members of 'Domain Users' only to be able to read anything in 
the dir, there was no mention of individual users.

Having said that, you are mixing up unix permissions and ACL's, they are 
very different. With unix you have user:group:others i.e. one user, one 
group and then everybody/group else whereas with ACL's you can have 
multiple users, multiple groups and of course others.

The way that I suggested gave you ownership by 'Domain Admins' and the 
ability to read by 'Domain Users', you could also give a user that isn't 
a member of either group access with:

setfacl -m user:testuser:rwx /path/to/Public_Applications/afile

It will still show as being owned by  3000000:users on linux, but does 
this matter if only the people/groups shown in the ACL have access? Try 
looking at a files permissions from windows.

Rowland



More information about the samba mailing list