[Samba] Clients can't write to group-writable files - plea for help

Rowland Penny rpenny at samba.org
Fri Nov 18 14:53:24 UTC 2016 

On Fri, 18 Nov 2016 09:13:44 -0500
Josh Malone via samba <samba at lists.samba.org> wrote:

> On 11/17/16 2:53 PM, Alex Crow via samba wrote:
> >
> >> From my understanding you seem to have Mac and Windows clients and
> >> are using the Samba machine as a fileserver. If the windows
> >> machines are joined to a domain, then you will probably be better
> >> off joining the Samba machine to the domain, this way you will not
> >> need the user map.
> >>
> >> It might help if you could explain your setup, if it is different
> >> from the above and a copy of your smb.conf would help as well.
> >>
> >> Rowland
> 
> Sorry - I should have posted this from the beginning.
> 
>     http://www.cv.nrao.edu/~jmalone/smb.conf
> 
> The samba server is joined to our AD domain. testjoin reports that
> the join is okay and authentication is working properly. The samba
> server is *also* joined to our NIS domain from which it gets the unix
> users.
> 
> Usernames match between unix and AD. All accounts have uidNumber and 
> gidNumber set correctly in AD (although it wasn't always like this;
> only recently did I implement this with a nightly script that copies
> the id numbers into AD).
> 
> The smb.conf I posted is the one which exhibits the problem with 
> group-writable files. By commenting the username map and uncommenting 
> the username map script, the problem goes away. The mapusers.sh
> script just echos $1. The usermap.cfg map file is empty. I've also
> tried removing that config line entirely - problem remains.
> 
> The share I used for testing is:
> 
> [www.nrao.edu]
>          comment = www.nrao.edu Web Content
>          path = /home/www.nrao.edu
>          public = no
>          writable = yes
>          browsable = yes
>          create mask = 664
>          directory mask = 2775
> 
> 
> 
> Level 10 debug log is here, in its entirety this time:
> 
> 
>     http://www.cv.nrao.edu/~jmalone/log.agrajag
> 
> 
> It's a Mac client running 10.11.something.
> 
> -Josh
> 

OK, can I suggest you stop using either a usermap or a userscript. Try
setting up your domain member correctly see here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

and here:

https://wiki.samba.org/index.php/Idmap_config_ad

As you have Mac clients, it might be a good idea to use vfs_fruit, try
reading 'man vfs_fruit'

Setup correctly, you wont have windows, Mac and Unix users, you will
just have AD users.

Rowland

More information about the samba mailing list