[Samba] Setup share permissions
Georgi Georgiev
gig.georgiev at gmail.com
Wed Nov 18 10:36:43 UTC 2015
Hello all,
I build following test environment, two Sernet Samba 4.2.5-8 DC with
--use-rfc2307 on Debian Jessie with BIND9_DLZ as DNS backend,
two Member server same sernet packages :
member1 acting like Print Server and member2 - File Server.
DC1 conf:
# Global parameters
[global]
workgroup = COMAC
realm = COMAC.CMBG.BG
netbios name = DC1
interfaces = lo eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
load printers = no
printcap name = /dev/null
[netlogon]
path = /var/lib/samba/sysvol/comac.cmbg.bg/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Member2 :
[global]
netbios name = MEMBER2
security = ADS
workgroup = COMAC
realm = COMAC.CMBG.BG
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# Important: The ranges of the default (*) idmap config
# and the domain(s) must not overlap!
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain
idmap config COMAC:backend = ad
idmap config COMAC:schema_mode = rfc2307
idmap config COMAC:range = 10000-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
printcap name = /dev/null
load printers = no
[TEST3]
comment = TEST3
path = /data/test3
read only = no
On member:
root at member2:/data# wbinfo -n test3
S-1-5-21-3950231052-3657987514-2080562086-1108 SID_USER (1)
root at member2:/data# getent passwd test3
test3:*:10003:10001:test3:/home/test3:/bin/sh
root at member2:/data# id test3
uid=10003(test3) gid=10001(domain users) groups=10001(domain
users),*10002(cmbg)*,2001(BUILTIN\users)
root at member2:/data# getent group | grep cmbg
cmbg:x:10002:
I have following problem or maybe missing something when setup permissions:
Trying POSIX method
mkdir /data/test3
chown test3:cmbg /data/test3
chmod 2770 /data/test3
but newly created subdirectories show always "domain users" as group:
drwxrws---+ 2 test3 domain users 4096 Nov 18 12:12 demo
I really would appreciate any advise you can offer!
--GIG
More information about the samba
mailing list