[Samba] Samba4 and file permissions

Rowland Penny rpenny at samba.org
Mon Dec 19 10:13:11 UTC 2016 

See inline comments:

On Mon, 19 Dec 2016 09:24:07 +0000
Stefano Martini via samba <samba at lists.samba.org> wrote:

> Hello
> I configured a samba 4.3.1 service on a Centos 6.5 32 bit system and
> installed it in the /home/samba/samba-4.3.1 directory (I know this is
> not a good place but it was the only partition with enough free
> space). The samba is running as an Active Directory Domain Controller
> with rfc2307 enabled and embedded DNS server. This is my smb.conf
> 
> # Global parameters
> [global]
>         workgroup = TESTDOM
>         realm = TESTDOM.LOCAL
>         netbios name = DC-SERVER
>         server role = active directory domain controller
>         dns forwarder = X.X.X.X
>         idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>         path
> = /home/samba/samba-4.3.1/var/locks/sysvol/lacdevel.lac/scripts read
> only = No
> 
> [sysvol]
>         path = /home/samba/samba-4.3.1/var/locks/sysvol
>         read only = No
> 
> [homes]
>         comment = %u's Home Directory
>         read only = no
>         browseable = no
>         guest ok = no
>         directory mask = 755
>         create mask = 0644
>         force create mode = 0644

[homes] doesn't work on a DC, see here:

https://wiki.samba.org/index.php/User_home_drives#Adding_the_share

> 
> On the Linux host I have the user "userX", with uid 503, belonging to
> the group "groupX", with gid 507. I created the corresponding user
> and group into the Samba server by using the samba-tool command:
> 
> # Created the user
> samba-tool user add userX --unix-home=/home/userX --uid-number=503
> --login-shell=/bin/bash --gid-number=507 --given-name=NameX
> --surname=SurnameX
> 
> # Created the group
> samba-tool group add groupX --gid-number=507 --nis-domain=testdom
> 
> # Added the user into the group
> samba-tool group addmembers groupX userX
> 
> Then, by using an LDAP administration tool, a chanced the
> primaryGroupID attribute of the userX user to the RID of the groupX
> group (1104).
> 
> This configuration works fine. On a remote system I can mount the
> userX's home:

No it doesn't, you might think it does, but you have just broken
Windows!
Can I suggest you put the users primaryGroupID back to 513, which is
what Windows expects it to be.

> 
> mount -t cifs //x.x.x.x/userX /mnt -o user=TESTDOM\\userX
> Password:
> 
> Now I have this problem: every file created by the remote host has
> the same permissions. For example, running
> 
> touch /mnt/fileX
> 
> on the remote host creates fileX in the userX's home with these
> permissions:
> 
> ls -l /home/userX/fileX
> -rwxrwxr-x+ 1 userX groupX 0 Dec 19 10:13 /home/userX/fileX
> 
> How can I set the permission of files according to the umask of the
> userX linux user? Is there a way to define this property into the
> Samba AD database ?
> 
> Thanks in advance
> Stefano
> 

You need to start using the Windows way of doing things, all users are
members of 'Domain Users', no private groups with the same name as a
user. 

Can I also suggest you stop using ID numbers in the 5xx range.

I feel I must also point out that you shouldn't have users or groups
in /etc/passwd & /etc/group that are also in AD.

I think you need to read the Samba wiki:

https://wiki.samba.org/index.php/Main_Page

Rowland

More information about the samba mailing list