[Samba] Permission Issues with GPO

Viktor Trojanovic viktor at troja.ch
Thu Nov 19 10:37:05 UTC 2015

On 18.11.2015 12:24, Rowland Penny wrote:
> On 18/11/15 10:24, mourik jan c heupink wrote:
>> On 18-11-2015 10:59, Rowland Penny wrote:
>>> OK, I am trying to understand this as well, I take it that the 
>>> uidNumber
>>> you add is a unique number that is inside the range you have set in
>>> smb.conf, but what about the gidNumber? do you set it to '515' and is
>>> this also inside the range?
>> Yep. gidNumber 515, both inside the range yes. (range starts at 500)
>>> Who owns the share on the disk and what are the permissions, also what
>>> is the share in smb.conf.
>>> [ninite]
>>>         guest ok = no
>>>         comment = Ninite Software Updater
>>>         path = /srv/ninite
>>>         read only = No
>>>         writable = yes
>>>         valid users = @"Domain Admins", @"Domain Computers"
>>>         create mask = 0775
>>>         directory mask = 0775
>> Permissions on disk:
>>> drwxrwxr-x   5 root Domain Admins 4096 Jul  8 14:10 ninite
>> MJ
> OK, I think I understand this, Mourik is setting this on the share:
> valid users = @"Domain Admins", @"Domain Computers"
> This means that only members of the 'Domain Admins'  or 'Domain 
> Computers' groups can connect to the share, whilst Louis has this 
> showing in his ACLs from getfacl:
> Creator owner    special.     Only folders and files on underlying 
> folders.
> Creator group    special.     Only folders and files on underlying 
> folders.
> Verified users    read+exec    This folder  underlying folders and files
> Domain Admins     Full        This folder  underlying folders and files
> Domain users     read+exec    This folder  underlying folders and files
> Domain computers    read+exec    This folder  underlying folders and 
> files
> Which gives (amongst others) 'Domain Admins' full control and 'Domain 
> Computer' read+exec permissions.
> With Mourik's way of doing things, 'Domain Computers' must be known to 
> Unix, hence the required gidNumber
> Louis's way will probably rely on winbind mapping 'Domain Computers'
> Rowland

Hi all,

So I had some time today to study the whole thread once more and see if 
I can finally get it to work. The good news is, yes, it works now. But I 
don't yet understand what the problem initially was, and I also would 
like to know if the way I got it to work is really optimal.

At first, I tried Louis' suggestion. In contrast to MJ, I did not change 
my share permissions, they just contained "everybody:full control" from 
the start. All I did, though, when I realized I had an issue with the 
access on a computer level, I added the "domain computers" group to the 
windows ACL of the Samba share. Since getent group wouldn't reveal 
domain computers on the linux station, of course, since I have AD type 
ID mapping, I added a uid to the group "domain computers".

I still wouldn't work, so I tried Louis' advice and added the line 
acl_xattr:ignore system acls = yes to the share but that didn't solve 
the issue, either, same error messages.

But once, I set a uid and gid for the PC as MJ suggested, it finally worked.

- Is it really necessary to specifically give access to "domain 
computers" on a share in order to be accessed in computer mode? Would 
this work in the same way in a Windows AD?
- At what level does it have to be set? Is it necessary at share level 
or would folder level have been sufficient? Would this have any 
influence on the outcome?
- Why did it work for Louis without setting uid/gid and I had to? After 
all, my configuration is closer to Louis' than to MJ's. I didn't quite 
understand Rowland's remark about winbindd doing the job for Louis.

Anyway, for now I'm just glad it works. Thank you all for participating 
in the search for a solution.


More information about the samba mailing list