[Samba] Cannot browse mode 0700 directories from Windows with security=ads

Ian Collier Ian.Collier at cs.ox.ac.uk
Fri Apr 15 14:20:32 UTC 2016 

We've had a samba server running for ages on CentOS 6 with samba 3.6.23.
(We're hoping to move to CentOS 7 and samba 4.2.10 soon but in the meantime
we'd like to keep this one working.)

The situation is that we have a Unix domain (LDAP/Kerberos) and a Windows
domain (AD) with identical usernames, and we are running Samba primarily
to give Windows users access to some directories on Unix.  We have
joined the Samba server to the Windows domain, and have "security=ads"
in the config.  However, we also have some users who connect from Mac
and Unix clients.  The usernames on the Samba server itself come from
the Unix domain, so it's only using the Windows AD to validate people's
passwords when they connect to Samba.

We have been running happily without running winbindd on the Samba server
and it's all been working perfectly.

However, since the Badlock patches, the Samba server can no longer
authenticate clients from Mac or Unix workstations.  I understand
that this is a known issue, and the official answer is "run winbindd".
Well OK, but unfortunately Winbind seems to have messed up all our
access permissions.

With Winbind running, all users can successfully connect, and all Unix
users can access the correct shares, but Windows is telling some people
"You do not have permission to access X" on some shares.

The first thing we noticed is that users don't have access to directories
that are shared using group permissions.  So if the directory is mode 0770,
not owned by me, but owned by a group that I am a member of, I don't have
access from Windows.

If we put "force group = X" in the config for that share, where X is the
group owner of the directory (that I am already a member of), I am allowed
access again.  But I don't like to do this because it might grant access
to some people who are not members of the group.

I found from searching on this issue that the problem is likely related
to the fact that the Windows AD groups are being used rather than the
Unix groups, and that we should put "username map script = /bin/echo"
in the config.

With that in place, I can now browse any share with group permissions -
great!  Unfortunately, this stops me from being able to access any
folder that has mode 0700 from Windows even if I own it.

... What have I missed, and what do I need to look at?  BTW I have no
idea what a SID or a RID is, but this does seem to be important somehow.

Thanks
Ian Collier

More information about the samba mailing list