[Samba] Permissions for Group Shares

David Thompson david at digitaltransitions.ca
Wed Oct 7 02:19:35 UTC 2015


Hi all,




I have a weird error that I can't seem to get my head wrapped around.


I have the following setup:


Member Server: Debian 7.9 with the latest version of SAMBA (4.3.0)
SAMBA DC x 2 with the latest version of SAMBA (4.3.0)


On my member server I have setup a share /Groups and on it I have all my folders that users will be accessing. This migration is coming over from a Macintosh environment.


I have displaced winbind for sssd on the member server as it seems to run smoother for me, or at least I think it does.


What isn't working is that when I do the following:


setfacl -R -m g:Information\ Technologt:rwx /Groups/Test-Folder


It all comes out proper according to the getfacl command:



# file: Groups/Test-Folder/
# owner: Administrator
# group: Domain\040Admins
user::rwx
group::r-x
group:Information\040Technology:rwx
mask::rwx
other::r-x


However if I mount the share point from a mac or windows 8 box, I can authenticate as myself, in this david, but I have zero permissions to write into the directory or create anything new inside the folder even though I am a member of the "Information Technology" group.


The only way I can get myself to have any type of write privileges on the remote share is if I add myself to the share such as:


setfacl -R -m u:david:rwx /Groups/Test-Folder


I'm pretty sure thats not by design but am wondering if anyone else has come accross this issue and if so how you got it to respect the group settings for nested users within groups for full access to the shared folders.


I don't see anything in there about it being a limitation of sssd.


I've also tried to add the permissions from a windows 8.1 box with the admin tools installed on it and I get all sorts of errors when I try and add ACLs and users to the folders.


Just wondering what I have to do in order to get my client machines to accept and understand that users in groups that are added to folders to have various levels of access to those folders.


Hopefully this makes sense.
Thanks in advance,


-----
David


More information about the samba mailing list