[Samba] Cannot change directory permissions
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Aug 4 15:38:06 UTC 2015
On 04/08/15 15:29, Felix Matouschek wrote:
> Hi Rowland,
>
> I had to split smbd and winbindd config to work around some bugs in credentials offline caching.
> I have a separate winbindd.conf, it looks like this:
>
> [global]
> ### Network ###
> netbios name = Fileserver
> server string = Fileserver (%h V:%v)
>
> ### ad member ###
> workgroup = INTRANET
> realm = INTRANET.MYCOMPANY.DE
> security = ADS
> kerberos method = secrets and keytab
>
> ### WINS ###
> wins server = 192.168.0.197
> name resolve order = wins host bcast
>
> ### winbind config ###
> winbind offline logon = yes
> winbind cache time = 600
> winbind enum users = yes
> winbind enum groups = yes
> winbind expand groups = 1
> winbind nested groups = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind nss info = rfc2307
> idmap config * : backend = tdb
> idmap config * : range = 1000000 - 1999999
> idmap config INTRANET : backend = ad
> idmap config INTRANET : schema_mode = rfc2307
> idmap config INTRANET : range = 5000 - 40000
>
> ### offline mode is not working without those ###
> winbind normalize names = no
> map untrusted to domain = no
>
> ### performance ###
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>
> Greetings,
> Felix
>
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> Gesendet: Dienstag, 4. August 2015 15:17
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Cannot change directory permissions
>
> On 04/08/15 14:11, Felix Matouschek wrote:
>> Hi Rowland,
>>
>> my users are known to the OS
> The smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ?
>
> Rowland
>
>> , they also have the correct permissions to alter the settings.
>> Doing so on the CLI does work when logged in via SSH.
>>
>> When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc.
>> I also cannot set any checkmarks for Read, Write etc.
>>
>> When viewing the Security Tab of a file everything works and I can see and set the checkmarks.
>>
>> Do you know what could be wrong?
>>
>> Greetings,
>> Felix
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
>> Rowland Penny
>> Gesendet: Dienstag, 4. August 2015 12:55
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] Cannot change directory permissions
>>
>> On 04/08/15 11:46, Felix Matouschek wrote:
>>> Hi Rowland,
>>>
>>> when saying 'I' I theoretically meant any user that has write access to the share.
>>>
>>> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory.
>>>
>>> This behaviour already works with files, I'm trying to figure out how to make it also work for directories.
>>>
>>> Greetings,
>>> Felix
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
>>> Rowland Penny
>>> Gesendet: Dienstag, 4. August 2015 11:57
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] Cannot change directory permissions
>>>
>>> On 04/08/15 10:07, Felix Matouschek wrote:
>>>> Hello,
>>>>
>>>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory.
>>>>
>>>> My problem is that I neither can view nor can change the permissions of directories on my shares.
>>>> Curiously enough viewing and changing permissions of files in the same shares works without a problem.
>>>>
>>>> Is there anything I misconfigured?
>>>>
>>>> My smb.conf looks like this:
>>>>
>>>> [global]
>>>> ### Network ###
>>>> netbios name = Fileserver
>>>> server string = Fileserver (%h V:%v)
>>>>
>>>> ### ad member ###
>>>> workgroup = INTRANET
>>>> realm = INTRANET.MYCOMPANY.DE
>>>> security = ADS
>>>> kerberos method = secrets and keytab
>>>>
>>>> ### WINS ###
>>>> wins server = 192.168.0.197
>>>> name resolve order = wins host bcast
>>>>
>>>> ### logins without prepending INTRANET\ ###
>>>> map untrusted to domain = yes
>>>>
>>>> ### other settings ###
>>>> unix extensions = no
>>>> invalid users = root
>>>>
>>>> ### make exe files executable on windows without x bit ###
>>>> acl allow execute always = yes
>>>>
>>>> ### performance ###
>>>> deadtime = 10
>>>> use sendfile = yes
>>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>>>>
>>>> ### prevent unwanted files ###
>>>> veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes
>>>> delete veto files = yes
>>>>
>>>> ### SHARES ###
>>>>
>>>> [Exchange]
>>>> path = /home/nobackup/exchange
>>>> guest ok = yes
>>>> read only = no
>>>> create mask = 660
>>>> directory mask = 770
>>>> force group = exchange-users
>>>>
>>>> Greetings,
>>>> Felix
>>> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ?
>>>
>>> Rowland
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here:
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings.
>>
>> Rowland
>>
>>
I am now officially lost, are you telling me that you have a smb.conf
and a winbindd.conf ?
If you have a winbindd.conf, how are you telling winbindd to load it ?
Also I don't use the winbind offline logon feature, but I thought you
have to have 'cached_login = yes' in the file:
/etc/security/pam_winbind.conf.
Does 'getent passwd' display all your AD domains ?
Rowland
Rowland
More information about the samba
mailing list