[Samba] Clients can't write to group-writable files - plea for help

Rowland Penny rpenny at samba.org
Wed Nov 16 20:23:17 UTC 2016

On Wed, 16 Nov 2016 15:12:06 -0500
Josh Malone via samba <samba at lists.samba.org> wrote:

> On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
> >>
> >> But the file is not root:root - it's owned by uid 12477 and group
> >> 9006. Why is Samba getting the wrong owner/group for this file?
> >
> > That is the core of your problem. What does the full debug level 10
> > log say around this message ?
> >
> Nothing that I can see.
> In any case, I've resolved my issue. By setting a user map script that
> just returns $1, the problem goes away. It's as if samba wasn't
> processing the trivial case of unix = windows without this help. I
> couldn't even use an empty usermap or find any other usermap setup
> that worked. Not sure why.
> And I only had to resort to this on my RHEL6 servers. Ubuntu server
> handles it just fine without maps or scripts.
> On 11/16/16 11:21 AM, Rowland Penny via samba wrote:
> >
> > If you are connecting to an Unix domain member, you don't use a
> > username map, you give your windows users a uidNumber attribute and
> > they become Unix users as well, provided the Unix domain member is
> > setup correctly.
> >
> > Don't remember seeing the smb.conf files you are using, this may
> > help with your problem.
> >
> > Rowland
> My AD account objects all have uidNumber and gidNumber set (we use
> that for the Mac systems bound to AD). And the AD usernames match the
> NIS usernames. (the uid/gids match too).

This is probably why it works on Ubuntu, but not on Centos, sssd is
probably running on the Centos machine, but isn't setup correctly.
> Is there documentation that focuses on the simple "Member server"
> case for just serving files to users who exist on both unix and AD?
> Seems like most of the docs assume you're using Samba as a DC or
> something more magical than a simple file server.

There isn't really a 'simple member server', the word 'member' means it
is a Domain member and you can read here about them:


You can leverage that to create a fileserver that authenticates to AD.


More information about the samba mailing list