[Samba] access rights for unix groups unreliable

Sven Schwedas sven.schwedas at tao.at
Tue Jun 24 08:34:08 MDT 2014


On 2014-06-24 15:35, Klaus Hartnegg wrote:
> Hello,
> 
> Please help me with this.
> 
> Access rights granted with acl to unix groups work only
> on about 2 out of 10 logins, otherwise I get access denied.
> Directories with rights granted to everybody are always accessible.
> 
> Rights were granted from within Windows 7 to a unix-group named "g_all".
> Samba is 4.1.6 of Ubuntu 14.04
> Output of testparm:
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> [global]
>     workgroup = AAA
>     server string = BBB
>     server role = classic primary domain controller
>     map to guest = Bad User
>     obey pam restrictions = Yes
>     pam password change = Yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     unix password sync = Yes
>     lanman auth = Yes
>     syslog = 0
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     load printers = No
>     printcap name = /dev/null
>     disable spoolss = Yes
>     show add printer wizard = No
>     mangle prefix = 5
>     add machine script = /usr/sbin/useradd -g machines -c "%u machine
> account" -d /var/lib/samba -s /bin/false %u
>     logon script = logon.cmd
>     logon path =
>     logon drive = H:
>     logon home = \\%L\S\usr\%U
>     domain logons = Yes
>     dns proxy = No
>     usershare allow guests = Yes
>     panic action = /usr/share/samba/panic-action %d
>     recycle:maxsixe = 0
>     recycle:versions = Yes
>     recycle:touch = Yes
>     recycle:keeptree = Yes
>     recycle:repository = .recyclebin

>     idmap config * : backend = tdb

Are the gids/uids stable?

>     inherit permissions = Yes
>     inherit acls = Yes
>     map acl inherit = Yes
>     printing = bsd
>     print command = lpr -r -P'%p' %s
>     lpq command = lpq -P'%p'
>     lprm command = lprm -P'%p' %j
>     case sensitive = No
>     short preserve case = No
>     delete veto files = Yes
>     map archive = No
>     map readonly = no
>     store dos attributes = Yes
>     strict locking = Yes
>     fstype = Samba
>     vfs objects = acl_xattr
> 
> [netlogon]
>     comment = Network Logon Service
>     path = /srv/samba/netlogon
>     guest ok = Yes
> 
> [G]
>     path = /srv/samba/files/G
>     valid users = +g_all, admin, guest
>     admin users = admin
>     read only = No
>     veto files = /.rights/
>     vfs objects = recycle, acl_xattr
> 
> [S]
>     path = /srv/samba/files/S
>     valid users = +g_all, admin, guest
>     admin users = admin
>     read only = No
>     veto files = /.rights/
>     vfs objects = recycle, acl_xattr
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140624/f1500ea7/attachment.pgp>


More information about the samba mailing list