[Samba] Antwort: Re: Antwort: Re: permissions of new files and directories
jan-philipp.snizek at business.uzh.ch
jan-philipp.snizek at business.uzh.ch
Fri Sep 23 07:30:25 UTC 2016
> Von: Rowland Penny via samba <samba at lists.samba.org>
> An: samba at lists.samba.org
> Datum: 22.09.2016 15:14
> Betreff: Re: [Samba] Antwort: Re: permissions of new files and
directories
> Gesendet von: "samba" <samba-bounces at lists.samba.org>
>
> On Thu, 22 Sep 2016 14:36:34 +0200
> Philipp Snizek via samba <samba at lists.samba.org> wrote:
>
> >
> > > Von: Rowland Penny via samba <samba at lists.samba.org>
> > > An: samba at lists.samba.org
> > > Datum: 22.09.2016 13:18
> > > Betreff: Re: [Samba] permissions of new files and directories
> > > Gesendet von: "samba" <samba-bounces at lists.samba.org>
> > >
> > > On Thu, 22 Sep 2016 11:53:36 +0200
> > > Philipp Snizek via samba <samba at lists.samba.org> wrote:
> > >
> > > >
> > > >
> > > > Hello
> > > >
> > > > I'm running Samba 4.3.9 on Ubuntu 14 as domain member. Both
> > > > Windows DCs are Win 2012 R2 in 2008 R2 mode.
> > > >
> > > > This is the smb.conf:
> > > >
> > > > [global]
> > > > workgroup = MYDOM
> > > > server string = Fileserver
> > > > netbios name = myhostname
> > > > winbind separator = +
> > > > security = ADS
> > > > admin users = %D+administrator, %D+backupmaster
> > > > realm = MYDOM.WHEREVER
> > > > kerberos method = secrets and keytab
> > > > winbind enum users = yes
> > > > winbind enum groups = yes
> > > > winbind nss info = template
> > > > winbind use default domain = no
> > > > winbind refresh tickets = true
> > > > winbind nested groups = yes
> > > > idmap config *:backend = rid
> > > > idmap config *:range = 100000-100000000
> > > > idmap config *:base_rid = 0
> > > > template shell = /usr/bin/nologin
> > > > template homedir = /home/%D/users/%U
> > > > obey pam restrictions = yes
> > > > allow trusted domains = no
> > > > client use spnego = yes
> > > > client signing = auto
> > > > preferred master = no
> > > > load printers = no
> > > > unix charset = UTF8
> > > > log file = /var/log/samba/log.%m
> > > > log level = 3
> > > > max log size = 50000
> > > > server max protocol = SMB3
> > > > map untrusted to domain = yes
> > > > log writeable files on exit = yes
> > > >
> > > > This is one of the many team share configs. They are all like
> > > > this.
> > > >
> > > > [Team_XXX]
> > > > comment = Team XXX
> > > > path = "/home/teams1/team_xxx"
> > > > browseable = yes
> > > > write list = "@%D+team xxx"
> > > > admin users = @%D+domänen-admins
> > > > valid users = @%D+domänen-admins, "@%D+team xxx"
> > > > public = no
> > > > force group = "%D+team xxx"
> > > > directory mask = 0770
> > > > create mask = 0660
> > > >
> > > > When I as member of %D+team xxx create a new directory in this
> > > > share, the permissions of the new directory become 750 instead of
> > > > 770. New created files do get 660.
> > > > I have tried force directory mode = 0770 to no effect. I've also
> > > > tried inherit permissions = yes. New created files then get 660
> > > > and directories get 750 instead of 770.
> > > >
> > > > Thanks for helping out.
> > > >
> > > > Best regards,
> > > > Philipp
> > > >
> > >
> > > Can I suggest you change your smb.conf to this:
> > >
> > > [global]
> > > netbios name = myhostname
> > > security = ADS
> > > workgroup = MYDOM
> > > realm = MYDOM.WHEREVER
> > > server string = Fileserver
> > >
> > > log file = /var/log/samba/log.%m
> > > log level = 3
> > > max log size = 50000
> > >
> > > winbind separator = +
> > > kerberos method = secrets and keytab
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > winbind refresh tickets = true
> > >
> > > idmap config *:backend = tdb
> > > idmap config *:range = 2000-9999
> > >
> > > idmap config MYDOM:backend = rid
> > > idmap config MYDOM:range = 100000-100000000
> > >
> > > template shell = /usr/bin/nologin
> > > template homedir = /home/%D/users/%U
> > > obey pam restrictions = yes
> > > allow trusted domains = no
> > > preferred master = no
> > > load printers = no
> > > map untrusted to domain = yes
> > > log writeable files on exit = yes
> > >
> > > [Team_XXX]
> > > comment = Team XXX
> > > path = /home/teams1/team_xxx
> > > browseable = yes
> > > read only = no
> > >
> > >
> > > Then read and follow this:
> > >
> > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> >
> > I've tried to run with POSIX ACLs to set permissions/ownerships on the
> > share directory only, "/home/teams1/team_xxx" in this example. This
> > directory would get 0770 and with inherit permissions or directory
> > mask = and create mask = my hopes were to achieve the correct
> > permissions. Would that work with your suggestions? Following the
> > link you've sent me I have the impression that I am leaving my
> > concept. I don't want anyone to use Windows' Security tab, not even
> > us admins.
> >
> > Thank you
> > Philipp
> >
> >
>
> If you must use posix ACLs, see here:
>
> https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs
>
Yes, this is what I want.
The global section I configured according to your suggestions, thank you
for spotting all those needless default settings.
My "testing" share now looks like this:
[team_informatik]
comment = Team Informatik
path = /home/teams/team_informatik
browseable = no
valid users = +%D+"team informatik"
public = no
chmod 2770 /home/teams/team_informatik
smbcontrol all reload-config
When I on my Win 10, 1511, client create a new folder in this share the new
folder's permissions are rwxr-s---.
After adding force directory mode = 0770 to this section and reloading the
config a newly created folder still gets rwxr-s--- permissions. Members of
the same group cannot delete this folder.
If I understand the bitwise OR-ing correctly this parameter should
definitely override the permissions to 0770.
What am I missing?
Philipp
More information about the samba
mailing list