[Samba] Samba 4.2.0: Group write permission not honored
Thomas Schulz
schulz at adi.com
Tue Apr 14 09:37:39 MDT 2015
>>> Hello Thomas
>>>
>>> Am 06.04.2015 um 17:22 schrieb Thomas Schulz:
>>>> For anyone considering using Samba 4.2.0, be aware that there is a
>>>> problem with group write permission not being honored.
>>>>
>>>> This is seen on both Linux and Solaris. We have a setup where we have
>>>> project directory trees where the files are owned by various users but
>>>> also by a group that the various users are a member of. The group
>>>> permissions are set to allow group write access. With Samba 4.1.* and
>>>> earlier everyone in the group can create files in these directories.
>>>> With Samba 4.2.0, we get an 'Access is denied' error.
>>>
>>> Is there already a bug report about that? If not, please open one, to=20
>>> get this fixed. Thanks.
>>>
>>> https://www.samba.org/~asn/reporting_samba_bugs.txt
>>>
>>>
>>> Regards,
>>> Marc
>>
>> I opened Bug 11192. I realized just a moment ago that I had forgotten
>> to include that information.
>
> Do you have additional information like.
>
> - smb.conf
> - where do the unix users/groups come from (ldap, AD (winbind/ssd) , local/=
> nis Database)
>
> I have a bug
>
> https://bugzilla.samba.org/show_bug.cgi?id=3D11082
>
> open and I am wondering, if it could be related
The unix users/groups come from nis. I am not running winbindd except
occasionally as a test to see if it makes a difference. I set the group
permissions using the unix command 'chmod g+w'. On many of the directories
there is an acl set to force the default group permission to include
write.
The smb.conf is as follows:
# Global parameters
[global]
workgroup = ADI
realm = adi.com
server string =
security = ADS
guest account = nobody2
client NTLMv2 auth = No
log file = /opt/local/samba4/var/logs/%h/log.%m
max log size = 1500
name resolve order = bcast host
unix extensions = No
client signing = if_required
client ldap sasl wrapping = plain
printcap name = /etc/printers.samba
dns proxy = No
lock directory = /var/samba/locks/%h
pid directory = /var/samba/locks/%h
winbind sealed pipes = No
require strong key = No
idmap config * : backend = tdb
printing = sysv
include = /opt/local/samba4/etc/smb.conf.mackerel
wide links = Yes
delete readonly = Yes
dos filemode = Yes
msdfs root = Yes
[zacltest2]
comment = Acl test
path = /home/users/schulz/tmp
read only = No
inherit permissions = Yes
For a directory with an ACL, the ACL looks like this:
# file: acltest2
# owner: atest
# group: atest
user::rwx
group::rwx #effective:rwx
mask:rwx
other:r-x
default:user::rwx
default:group::rwx
default:mask:rwx
default:other:r-x
Tom Schulz
Applied Dynamics Intl.
schulz at adi.com
More information about the samba
mailing list