[Samba] access rights for unix groups unreliable

Klaus Hartnegg hartnegg at gmx.de
Tue Jun 24 07:35:01 MDT 2014 

Hello,

Please help me with this.

Access rights granted with acl to unix groups work only
on about 2 out of 10 logins, otherwise I get access denied.
Directories with rights granted to everybody are always accessible.

Rights were granted from within Windows 7 to a unix-group named "g_all".
Samba is 4.1.6 of Ubuntu 14.04
Output of testparm:
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
[global]
	workgroup = AAA
	server string = BBB
	server role = classic primary domain controller
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	lanman auth = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	show add printer wizard = No
	mangle prefix = 5
	add machine script = /usr/sbin/useradd -g machines -c "%u machine 
account" -d /var/lib/samba -s /bin/false %u
	logon script = logon.cmd
	logon path =
	logon drive = H:
	logon home = \\%L\S\usr\%U
	domain logons = Yes
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	recycle:maxsixe = 0
	recycle:versions = Yes
	recycle:touch = Yes
	recycle:keeptree = Yes
	recycle:repository = .recyclebin
	idmap config * : backend = tdb
	inherit permissions = Yes
	inherit acls = Yes
	map acl inherit = Yes
	printing = bsd
	print command = lpr -r -P'%p' %s
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j
	case sensitive = No
	short preserve case = No
	delete veto files = Yes
	map archive = No
	map readonly = no
	store dos attributes = Yes
	strict locking = Yes
	fstype = Samba
	vfs objects = acl_xattr

[netlogon]
	comment = Network Logon Service
	path = /srv/samba/netlogon
	guest ok = Yes

[G]
	path = /srv/samba/files/G
	valid users = +g_all, admin, guest
	admin users = admin
	read only = No
	veto files = /.rights/
	vfs objects = recycle, acl_xattr

[S]
	path = /srv/samba/files/S
	valid users = +g_all, admin, guest
	admin users = admin
	read only = No
	veto files = /.rights/
	vfs objects = recycle, acl_xattr

More information about the samba mailing list