[Samba] Permission issue writing to demo share

Dr. Lars Hanke lars at lhanke.de
Fri Jun 27 10:13:31 MDT 2014

>> I can read and write the Share using AD\Administrator. AD\StandardUser
>> can mount the share and read, what the Administrator put there. But he
>> cannot create or modify files.
> Please post:
> smb.conf
         workgroup = AD
         realm = AD.MICROSULT.DE
         netbios name = SAMBA
         server role = active directory domain controller
         private dir = /srv/files/private
         lock directory = /srv/files
         state directory = /srv/files/state
         cache directory = /srv/files/cache
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes

         # allow for TLS / ldaps
         tls enabled = yes
         tls keyfile = /etc/samba/tls/SAMBA.ad.microsult.de.key.pem
         tls certfile = /etc/samba/tls/SAMBA.ad.microsult.de.pem
         tls cafile = /etc/certs/cacert.pem

         # this is from steve's mail
         kerberos method = system keytab

         path = /srv/files/state/sysvol/ad.microsult.de/scripts
         read only = No

         path = /srv/files/state/sysvol
         read only = No

         path = /srv/files/shares/Demo
         read only = no

> /etc/nsswitch.conf
passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

> getent passwd AS\StandardUser
empty, as is AD\Administrator

> getfacl /path/to/your/demo share
Didn't install ACL so far, since the samba docs claim to use extended 
attributes instead of POSIX ACL.

root at samba:/# ls -la /srv/files/shares/Demo/
total 8
drwxr-xr-x  2 root    root  35 Jun 27 14:24 .
drwxr-xr-x  3 root    root  17 Jun 13 13:19 ..
-rwxrwxr-x+ 1 3000000 users 32 Jun 27 14:24 Erstellt von Admin.txt
root at samba:/# attr -l /srv/files/shares/Demo
root at samba:/# attr -l /srv/files/shares/Demo/*
Attribute "DOSATTRIB" has a 56 byte value for 
/srv/files/shares/Demo/Erstellt von Admin.txt
Attribute "NTACL" has a 312 byte value for 
/srv/files/shares/Demo/Erstellt von Admin.txt
root at samba:/# attr -g NTACL /srv/files/shares/Demo/Erstellt\ von\ Admin.txt
attr_get: No data available
Could not get "NTACL" for /srv/files/shares/Demo/Erstellt von Admin.txt

Actually I had expected AD/Administrator to map to uid 0 instead of 
3000000. At least this uid is in the LDAP.

  - lars.

More information about the samba mailing list