[Samba] Cannot change directory permissions

Rowland Penny rowlandpenny241155 at gmail.com
Tue Aug 4 15:38:06 UTC 2015


On 04/08/15 15:29, Felix Matouschek wrote:
> Hi Rowland,
>
> I had to split smbd and winbindd config to work around some bugs in credentials offline caching.
> I have a separate winbindd.conf, it looks like this:
>
> [global]
>      ### Network ###
>      netbios name = Fileserver
>      server string = Fileserver (%h V:%v)
>
>      ### ad member ###
>      workgroup = INTRANET
>      realm = INTRANET.MYCOMPANY.DE
>      security = ADS
>      kerberos method = secrets and keytab
>
>      ### WINS ###
>      wins server = 192.168.0.197
>      name resolve order = wins host bcast
>
>      ### winbind config ###
>      winbind offline logon = yes
>      winbind cache time = 600
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind expand groups = 1
>      winbind nested groups = yes
>      winbind use default domain = yes
>      winbind refresh tickets = yes
>      winbind nss info = rfc2307
>      idmap config * : backend = tdb
>      idmap config * : range = 1000000 - 1999999
>      idmap config INTRANET : backend = ad
>      idmap config INTRANET : schema_mode = rfc2307
>      idmap config INTRANET : range = 5000 - 40000
>
>      ### offline mode is not working without those ###
>      winbind normalize names = no
>      map untrusted to domain = no
>
>      ### performance ###
>      socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>
> Greetings,
> Felix
>
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> Gesendet: Dienstag, 4. August 2015 15:17
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Cannot change directory permissions
>
> On 04/08/15 14:11, Felix Matouschek wrote:
>> Hi Rowland,
>>
>> my users are known to the OS
> The smb.conf you posted earlier would seem to suggest that they aren't, what does 'getent passwd <username>' produce ?
>
> Rowland
>
>> , they also have the correct permissions to alter the settings.
>> Doing so on the CLI does work when logged in via SSH.
>>
>> When opening the Security Tab the users and groups are displayed, only on directories there are no checkmarks under Read, Write etc.
>> I also cannot set any checkmarks for Read, Write etc.
>>
>> When viewing the Security Tab of a file everything works and I can see and set the checkmarks.
>>
>> Do you know what could be wrong?
>>
>> Greetings,
>> Felix
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
>> Rowland Penny
>> Gesendet: Dienstag, 4. August 2015 12:55
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] Cannot change directory permissions
>>
>> On 04/08/15 11:46, Felix Matouschek wrote:
>>> Hi Rowland,
>>>
>>> when saying 'I' I theoretically meant any user that has write access to the share.
>>>
>>> It should be possible to right click the directory in windows, the go to security tab and remove the write permissions on the directory.
>>>
>>> This behaviour already works with files, I'm trying to figure out how to make it also work for directories.
>>>
>>> Greetings,
>>> Felix
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
>>> Rowland Penny
>>> Gesendet: Dienstag, 4. August 2015 11:57
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] Cannot change directory permissions
>>>
>>> On 04/08/15 10:07, Felix Matouschek wrote:
>>>> Hello,
>>>>      
>>>> I occasionally need to remove the write permissions from directories inside a share to prevent users from accidentally deleting files inside that directory.
>>>>      
>>>> My problem is that I neither can view nor can change the permissions of directories on my shares.
>>>> Curiously enough viewing and changing permissions of files in the same shares works without a problem.
>>>>      
>>>> Is there anything I misconfigured?
>>>>      
>>>> My smb.conf looks like this:
>>>>      
>>>> [global]
>>>>         ### Network  ###
>>>>         netbios name = Fileserver
>>>>         server string = Fileserver (%h V:%v)
>>>>      
>>>>         ### ad member ###
>>>>         workgroup = INTRANET
>>>>         realm = INTRANET.MYCOMPANY.DE
>>>>         security = ADS
>>>>         kerberos method = secrets and keytab
>>>>      
>>>>         ### WINS ###
>>>>         wins server = 192.168.0.197
>>>>         name resolve order = wins host bcast
>>>>      
>>>>         ### logins without prepending INTRANET\ ###
>>>>         map untrusted to domain = yes
>>>>      
>>>>         ### other settings ###
>>>>         unix extensions = no
>>>>         invalid users = root
>>>>      
>>>>         ### make exe files executable on windows without x bit ###
>>>>         acl allow execute always = yes
>>>>      
>>>>         ### performance ###
>>>>         deadtime = 10
>>>>         use sendfile = yes
>>>>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>>>>      
>>>>         ### prevent unwanted files ###
>>>>         veto files = /$RECYCLE.BIN/desktop.ini/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/._.apdisk/.TemporaryItems/._.TemporaryItems/.Trashes/._.Trashes
>>>>         delete veto files = yes
>>>>      
>>>> ### SHARES ###
>>>>      
>>>> [Exchange]
>>>>         path = /home/nobackup/exchange
>>>>         guest ok = yes
>>>>         read only = no
>>>>         create mask = 660
>>>>         directory mask = 770
>>>>         force group = exchange-users
>>>>      
>>>> Greetings,
>>>> Felix
>>> Hi, when you say ' I occasionally need to remove the write permissions', whom is the 'I', is this the Administrator ?
>>>
>>> Rowland
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> I am fairly sure your problem is a misconfiguration of smb.conf, for a start have a look here:
>>
>>     https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> To change directory settings, your users and groups need to be known to the underlying Unix OS and have the required permissions to alter the settings.
>>
>> Rowland
>>
>>

I am now officially lost, are you telling me that you have a smb.conf 
and a winbindd.conf ?

If you have a winbindd.conf, how are you telling winbindd to load it ?

Also I don't use the winbind offline logon feature, but I thought you 
have to have 'cached_login = yes' in the file: 
/etc/security/pam_winbind.conf.

Does 'getent passwd' display all your AD domains ?

Rowland

Rowland



More information about the samba mailing list