[Samba] Setup share permissions

Rowland Penny rowlandpenny241155 at gmail.com
Wed Nov 18 11:09:40 UTC 2015


On 18/11/15 10:36, Georgi Georgiev wrote:
> Hello all,
>
> I build following test environment,  two Sernet Samba 4.2.5-8  DC with 
> --use-rfc2307 on Debian Jessie with BIND9_DLZ  as DNS backend,
> two Member server same sernet packages :
> member1 acting like  Print Server and member2 - File Server.
> DC1  conf:
> # Global parameters
> [global]
>         workgroup = COMAC
>         realm = COMAC.CMBG.BG
>         netbios name = DC1
>         interfaces = lo eth0
>         bind interfaces only = Yes
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>
>        load printers = no
>         printcap name = /dev/null
>
>
> [netlogon]
>         path = /var/lib/samba/sysvol/comac.cmbg.bg/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> Member2 :
> [global]
>
>        netbios name = MEMBER2
>        security = ADS
>        workgroup = COMAC
>        realm = COMAC.CMBG.BG
>
>        log file = /var/log/samba/%m.log
>        log level = 1
>
>      dedicated keytab file = /etc/krb5.keytab
>       kerberos method = secrets and keytab
>        winbind refresh tickets = yes
>
>        winbind trusted domains only = no
>        winbind use default domain = yes
>        winbind enum users  = yes
>        winbind enum groups = yes
> # Important: The ranges of the default (*) idmap config
>        # and the domain(s) must not overlap!
>
>        # Default idmap config used for BUILTIN and local accounts/groups
>        idmap config *:backend = tdb
>        idmap config *:range = 2000-9999
>
>        # idmap config for domain
>        idmap config COMAC:backend = ad
>        idmap config COMAC:schema_mode = rfc2307
>        idmap config COMAC:range = 10000-99999
>
>        # Use settings from AD for login shell and home directory
>        winbind nss info = rfc2307
>
>        vfs objects = acl_xattr
>        map acl inherit = Yes
>        store dos attributes = Yes
>
>        printcap name = /dev/null
>        load printers = no
>
>
> [TEST3]
>    comment = TEST3
>    path = /data/test3
>    read only = no
>
> On member:
> root at member2:/data# wbinfo -n test3
> S-1-5-21-3950231052-3657987514-2080562086-1108 SID_USER (1)
> root at member2:/data# getent passwd test3
> test3:*:10003:10001:test3:/home/test3:/bin/sh
> root at member2:/data# id test3
> uid=10003(test3) gid=10001(domain users) groups=10001(domain 
> users),*10002(cmbg)*,2001(BUILTIN\users)

As you can see 'test3' has the uid of '10003' and the primary gid of '10001'

>
> root at member2:/data# getent group | grep cmbg
> cmbg:x:10002:
>
> I have following problem or maybe missing something  when setup 
> permissions:
> Trying POSIX method
> mkdir /data/test3
> chown test3:cmbg /data/test3
> chmod 2770 /data/test3
>
> but newly  created subdirectories show always "domain users" as group:
>  drwxrws---+ 2 test3 domain users 4096 Nov 18 12:12 demo

If a user creates a directory (or file) it will get the users uid & gid 
(see above), just adding a gidNumber to a domain user does not make it 
the users primary Unix group, perhaps it should, but it doesn't.

Rowland

>
> I really would appreciate any advise you can offer!
> --GIG
>
>
>
>
>
>
>
>




More information about the samba mailing list