[Samba] Antwort: Re: permissions of new files and directories
jan-philipp.snizek at business.uzh.ch
jan-philipp.snizek at business.uzh.ch
Thu Sep 22 12:36:34 UTC 2016
> Von: Rowland Penny via samba <samba at lists.samba.org>
> An: samba at lists.samba.org
> Datum: 22.09.2016 13:18
> Betreff: Re: [Samba] permissions of new files and directories
> Gesendet von: "samba" <samba-bounces at lists.samba.org>
>
> On Thu, 22 Sep 2016 11:53:36 +0200
> Philipp Snizek via samba <samba at lists.samba.org> wrote:
>
> >
> >
> > Hello
> >
> > I'm running Samba 4.3.9 on Ubuntu 14 as domain member. Both Windows
> > DCs are Win 2012 R2 in 2008 R2 mode.
> >
> > This is the smb.conf:
> >
> > [global]
> > workgroup = MYDOM
> > server string = Fileserver
> > netbios name = myhostname
> > winbind separator = +
> > security = ADS
> > admin users = %D+administrator, %D+backupmaster
> > realm = MYDOM.WHEREVER
> > kerberos method = secrets and keytab
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind nss info = template
> > winbind use default domain = no
> > winbind refresh tickets = true
> > winbind nested groups = yes
> > idmap config *:backend = rid
> > idmap config *:range = 100000-100000000
> > idmap config *:base_rid = 0
> > template shell = /usr/bin/nologin
> > template homedir = /home/%D/users/%U
> > obey pam restrictions = yes
> > allow trusted domains = no
> > client use spnego = yes
> > client signing = auto
> > preferred master = no
> > load printers = no
> > unix charset = UTF8
> > log file = /var/log/samba/log.%m
> > log level = 3
> > max log size = 50000
> > server max protocol = SMB3
> > map untrusted to domain = yes
> > log writeable files on exit = yes
> >
> > This is one of the many team share configs. They are all like this.
> >
> > [Team_XXX]
> > comment = Team XXX
> > path = "/home/teams1/team_xxx"
> > browseable = yes
> > write list = "@%D+team xxx"
> > admin users = @%D+domänen-admins
> > valid users = @%D+domänen-admins, "@%D+team xxx"
> > public = no
> > force group = "%D+team xxx"
> > directory mask = 0770
> > create mask = 0660
> >
> > When I as member of %D+team xxx create a new directory in this share,
> > the permissions of the new directory become 750 instead of 770. New
> > created files do get 660.
> > I have tried force directory mode = 0770 to no effect. I've also tried
> > inherit permissions = yes. New created files then get 660 and
> > directories get 750 instead of 770.
> >
> > Thanks for helping out.
> >
> > Best regards,
> > Philipp
> >
>
> Can I suggest you change your smb.conf to this:
>
> [global]
> netbios name = myhostname
> security = ADS
> workgroup = MYDOM
> realm = MYDOM.WHEREVER
> server string = Fileserver
>
> log file = /var/log/samba/log.%m
> log level = 3
> max log size = 50000
>
> winbind separator = +
> kerberos method = secrets and keytab
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = true
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> idmap config MYDOM:backend = rid
> idmap config MYDOM:range = 100000-100000000
>
> template shell = /usr/bin/nologin
> template homedir = /home/%D/users/%U
> obey pam restrictions = yes
> allow trusted domains = no
> preferred master = no
> load printers = no
> map untrusted to domain = yes
> log writeable files on exit = yes
>
> [Team_XXX]
> comment = Team XXX
> path = /home/teams1/team_xxx
> browseable = yes
> read only = no
>
>
> Then read and follow this:
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
I've tried to run with POSIX ACLs to set permissions/ownerships on the
share directory only, "/home/teams1/team_xxx" in this example. This
directory would get 0770 and with inherit permissions or directory mask =
and create mask = my hopes were to achieve the correct permissions. Would
that work with your suggestions? Following the link you've sent me I have
the impression that I am leaving my concept. I don't want anyone to use
Windows' Security tab, not even us admins.
Thank you
Philipp
More information about the samba
mailing list