[Samba] Antwort: Antwort: Re: Antwort: Re: permissions of new files and directories
jan-philipp.snizek at business.uzh.ch
jan-philipp.snizek at business.uzh.ch
Wed Sep 28 12:19:30 UTC 2016
> > > > >
> > > > > Hello
> > > > >
> > > > > I'm running Samba 4.3.9 on Ubuntu 14 as domain member. Both
> > > > > Windows DCs are Win 2012 R2 in 2008 R2 mode.
> > > > >
> > > > > This is the smb.conf:
> > > > >
> > > > > [global]
> > > > > workgroup = MYDOM
> > > > > server string = Fileserver
> > > > > netbios name = myhostname
> > > > > winbind separator = +
> > > > > security = ADS
> > > > > admin users = %D+administrator, %D+backupmaster
> > > > > realm = MYDOM.WHEREVER
> > > > > kerberos method = secrets and keytab
> > > > > winbind enum users = yes
> > > > > winbind enum groups = yes
> > > > > winbind nss info = template
> > > > > winbind use default domain = no
> > > > > winbind refresh tickets = true
> > > > > winbind nested groups = yes
> > > > > idmap config *:backend = rid
> > > > > idmap config *:range = 100000-100000000
> > > > > idmap config *:base_rid = 0
> > > > > template shell = /usr/bin/nologin
> > > > > template homedir = /home/%D/users/%U
> > > > > obey pam restrictions = yes
> > > > > allow trusted domains = no
> > > > > client use spnego = yes
> > > > > client signing = auto
> > > > > preferred master = no
> > > > > load printers = no
> > > > > unix charset = UTF8
> > > > > log file = /var/log/samba/log.%m
> > > > > log level = 3
> > > > > max log size = 50000
> > > > > server max protocol = SMB3
> > > > > map untrusted to domain = yes
> > > > > log writeable files on exit = yes
> > > > >
> > > > > This is one of the many team share configs. They are all like
> > > > > this.
> > > > >
> > > > > [Team_XXX]
> > > > > comment = Team XXX
> > > > > path = "/home/teams1/team_xxx"
> > > > > browseable = yes
> > > > > write list = "@%D+team xxx"
> > > > > admin users = @%D+domänen-admins
> > > > > valid users = @%D+domänen-admins, "@%D+team xxx"
> > > > > public = no
> > > > > force group = "%D+team xxx"
> > > > > directory mask = 0770
> > > > > create mask = 0660
> > > > >
> > > > > When I as member of %D+team xxx create a new directory in this
> > > > > share, the permissions of the new directory become 750 instead of
> > > > > 770. New created files do get 660.
> > > > > I have tried force directory mode = 0770 to no effect. I've also
> > > > > tried inherit permissions = yes. New created files then get 660
> > > > > and directories get 750 instead of 770.
> > > > >
> > > > > Thanks for helping out.
> > > > >
> > > > > Best regards,
> > > > > Philipp
> > > > >
> > > >
> > > > Can I suggest you change your smb.conf to this:
> > > >
> > > > [global]
> > > > netbios name = myhostname
> > > > security = ADS
> > > > workgroup = MYDOM
> > > > realm = MYDOM.WHEREVER
> > > > server string = Fileserver
> > > >
> > > > log file = /var/log/samba/log.%m
> > > > log level = 3
> > > > max log size = 50000
> > > >
> > > > winbind separator = +
> > > > kerberos method = secrets and keytab
> > > > winbind enum users = yes
> > > > winbind enum groups = yes
> > > > winbind refresh tickets = true
> > > >
> > > > idmap config *:backend = tdb
> > > > idmap config *:range = 2000-9999
> > > >
> > > > idmap config MYDOM:backend = rid
> > > > idmap config MYDOM:range = 100000-100000000
> > > >
> > > > template shell = /usr/bin/nologin
> > > > template homedir = /home/%D/users/%U
> > > > obey pam restrictions = yes
> > > > allow trusted domains = no
> > > > preferred master = no
> > > > load printers = no
> > > > map untrusted to domain = yes
> > > > log writeable files on exit = yes
> > > >
> > > > [Team_XXX]
> > > > comment = Team XXX
> > > > path = /home/teams1/team_xxx
> > > > browseable = yes
> > > > read only = no
> > > >
> > > >
> > > > Then read and follow this:
> > > >
> > > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> > >
> > > I've tried to run with POSIX ACLs to set permissions/ownerships on
the
> > > share directory only, "/home/teams1/team_xxx" in this example. This
> > > directory would get 0770 and with inherit permissions or directory
> > > mask = and create mask = my hopes were to achieve the correct
> > > permissions. Would that work with your suggestions? Following the
> > > link you've sent me I have the impression that I am leaving my
> > > concept. I don't want anyone to use Windows' Security tab, not even
> > > us admins.
> > >
> > > Thank you
> > > Philipp
> > >
> > >
> >
> > If you must use posix ACLs, see here:
> >
> > https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs
> >
>
> Yes, this is what I want.
> The global section I configured according to your suggestions, thank you
> for spotting all those needless default settings.
>
> My "testing" share now looks like this:
>
> [team_informatik]
> comment = Team Informatik
> path = /home/teams/team_informatik
> browseable = no
> valid users = +%D+"team informatik"
> public = no
>
> chmod 2770 /home/teams/team_informatik
> smbcontrol all reload-config
>
> When I on my Win 10, 1511, client create a new folder in this share the
new
> folder's permissions are rwxr-s---.
>
> After adding force directory mode = 0770 to this section and reloading
the
> config a newly created folder still gets rwxr-s--- permissions. Members
of
> the same group cannot delete this folder.
> If I understand the bitwise OR-ing correctly this parameter should
> definitely override the permissions to 0770.
>
> What am I missing?
>
After some playing around with Posix ACLs and trying to follow the Samba
POSIX ACL wiki to the letter I found I cannot get this to work properly and
thus gave Windows ACLs a shot. This worked just fine from the start.
In order to eventually run just one ACL concpet I will have to change all
user homes and other shares from posix ACLs to Windows ACLs. I have not
worked before with getfacl/setfacl.
I wonder, is there something specific or special I have to consider?
Can I i.e. for the time of migration run a mixed style meaning some shares
remain posix acls and some become new windows acls just to see how things
behave?
Thanks,
Philipp
More information about the samba
mailing list