[Samba] Samba 4.2.0: Group write permission not honored
schulz at adi.com
Tue Apr 21 12:34:59 MDT 2015
>>>> Hello Thomas
>>>> Am 06.04.2015 um 17:22 schrieb Thomas Schulz:
>>>>> For anyone considering using Samba 4.2.0, be aware that there is a
>>>>> problem with group write permission not being honored.
>>>>> This is seen on both Linux and Solaris. We have a setup where we have
>>>>> project directory trees where the files are owned by various users but
>>>>> also by a group that the various users are a member of. The group
>>>>> permissions are set to allow group write access. With Samba 4.1.* and
>>>>> earlier everyone in the group can create files in these directories.
>>>>> With Samba 4.2.0, we get an 'Access is denied' error.
>>>> Is there already a bug report about that? If not, please open one, to=20
>>>> get this fixed. Thanks.
>>> I opened Bug 11192. I realized just a moment ago that I had forgotten
>>> to include that information.
>> Do you have additional information like.
>> - smb.conf
>> - where do the unix users/groups come from (ldap, AD (winbind/ssd) ,
>> local/nis Database)
>> I have a bug
>> open and I am wondering, if it could be related
> The unix users/groups come from nis. I am not running winbindd except
> occasionally as a test to see if it makes a difference. I set the group
> permissions using the unix command 'chmod g+w'. On many of the directories
> there is an acl set to force the default group permission to include
> The smb.conf is as follows:
> # Global parameters
> workgroup = ADI
> realm = adi.com
> security = ADS
> client NTLMv2 auth = No
> name resolve order = bcast host
> client signing = if_required
> client ldap sasl wrapping = plain
> winbind sealed pipes = No
> require strong key = No
> idmap config * : backend = tdb
> dos filemode = Yes
> msdfs root = Yes
> comment = Acl test
> path = /home/users/schulz/tmp
> read only = No
> inherit permissions = Yes
> For a directory with an ACL, the ACL looks like this:
> # file: acltest2
> # owner: atest
> # group: atest
> group::rwx #effective:rwx
My report is somewhat incorrect. The problem with not honoring group
write permissions only occurs if winbindd is running. I never ran
winbindd with Samba 4.1.*. I started running it because of the problems
reported in Bug 11098. As reported there, it is possible to run Samba 4.2.*
without running winbindd if I use security=ads. If I do not run winbindd
then the group write permissions are honored.
I just tried Samba 4.1.17 and it has the same problem with using group
write permissions if winbindd is running. So this is not a regression,
at least not one against 4.1.*.
Applied Dynamics Intl.
schulz at adi.com
More information about the samba