[Samba] Setup share permissions

Georgi Georgiev gig.georgiev at gmail.com
Wed Nov 18 10:36:43 UTC 2015

Hello all,

I build following test environment,  two Sernet Samba 4.2.5-8  DC with 
--use-rfc2307 on Debian Jessie with BIND9_DLZ  as DNS backend,
two Member server same sernet packages :
member1 acting like  Print Server and member2 - File Server.
DC1  conf:
# Global parameters
         workgroup = COMAC
         realm = COMAC.CMBG.BG
         netbios name = DC1
         interfaces = lo eth0
         bind interfaces only = Yes
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes

        load printers = no
         printcap name = /dev/null

         path = /var/lib/samba/sysvol/comac.cmbg.bg/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

Member2 :

        netbios name = MEMBER2
        security = ADS
        workgroup = COMAC
        realm = COMAC.CMBG.BG

        log file = /var/log/samba/%m.log
        log level = 1

      dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
        winbind refresh tickets = yes

        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
# Important: The ranges of the default (*) idmap config
        # and the domain(s) must not overlap!

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # idmap config for domain
        idmap config COMAC:backend = ad
        idmap config COMAC:schema_mode = rfc2307
        idmap config COMAC:range = 10000-99999

        # Use settings from AD for login shell and home directory
        winbind nss info = rfc2307

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

        printcap name = /dev/null
        load printers = no

    comment = TEST3
    path = /data/test3
    read only = no

On member:
root at member2:/data# wbinfo -n test3
S-1-5-21-3950231052-3657987514-2080562086-1108 SID_USER (1)
root at member2:/data# getent passwd test3
root at member2:/data# id test3
uid=10003(test3) gid=10001(domain users) groups=10001(domain 

root at member2:/data# getent group | grep cmbg

I have following problem or maybe missing something  when setup permissions:
Trying POSIX method
mkdir /data/test3
chown test3:cmbg /data/test3
chmod 2770 /data/test3

but newly  created subdirectories show always "domain users" as group:
  drwxrws---+ 2 test3 domain users 4096 Nov 18 12:12 demo

I really would appreciate any advise you can offer!

More information about the samba mailing list