[Samba] Samba 4.2.0: Group write permission not honored

Thomas Schulz schulz at adi.com
Tue Apr 14 09:37:39 MDT 2015 

>>> Hello Thomas
>>>
>>> Am 06.04.2015 um 17:22 schrieb Thomas Schulz:
>>>> For anyone considering using Samba 4.2.0, be aware that there is a
>>>> problem with group write permission not being honored.
>>>>
>>>> This is seen on both Linux and Solaris. We have a setup where we have
>>>> project directory trees where the files are owned by various users but
>>>> also by a group that the various users are a member of. The group
>>>> permissions are set to allow group write access. With Samba 4.1.* and
>>>> earlier everyone in the group can create files in these directories.
>>>> With Samba 4.2.0, we get an 'Access is denied' error.
>>>
>>> Is there already a bug report about that? If not, please open one, to=20
>>> get this fixed. Thanks.
>>>
>>> https://www.samba.org/~asn/reporting_samba_bugs.txt
>>>
>>>
>>> Regards,
>>> Marc
>>
>> I opened Bug 11192. I realized just a moment ago that I had forgotten
>> to include that information.
> 
> Do you have additional information like.
> 
> - smb.conf
> - where do the unix users/groups come from (ldap, AD (winbind/ssd) , local/=
> nis Database)
> 
> I have a bug
> 
> https://bugzilla.samba.org/show_bug.cgi?id=3D11082
> 
> open and I am wondering, if it could be related

The unix users/groups come from nis. I am not running winbindd except
occasionally as a test to see if it makes a difference. I set the group
permissions using the unix command 'chmod g+w'. On many of the directories
there is an acl set to force the default group permission to include
write.

The smb.conf is as follows:

# Global parameters
[global]
        workgroup = ADI
        realm = adi.com
        server string = 
        security = ADS
        guest account = nobody2
        client NTLMv2 auth = No
        log file = /opt/local/samba4/var/logs/%h/log.%m
        max log size = 1500
        name resolve order = bcast host
        unix extensions = No
        client signing = if_required
        client ldap sasl wrapping = plain
        printcap name = /etc/printers.samba
        dns proxy = No
        lock directory = /var/samba/locks/%h
        pid directory = /var/samba/locks/%h
        winbind sealed pipes = No
        require strong key = No
        idmap config * : backend = tdb
        printing = sysv
        include = /opt/local/samba4/etc/smb.conf.mackerel
        wide links = Yes
        delete readonly = Yes
        dos filemode = Yes
        msdfs root = Yes

[zacltest2]
        comment = Acl test
        path = /home/users/schulz/tmp
        read only = No
        inherit permissions = Yes


For a directory with an ACL, the ACL looks like this:

# file: acltest2
# owner: atest
# group: atest
user::rwx
group::rwx              #effective:rwx
mask:rwx
other:r-x
default:user::rwx
default:group::rwx
default:mask:rwx
default:other:r-x


Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list