[Samba] Antwort: Antwort: Re: Antwort: Re: permissions of new files and directories

jan-philipp.snizek at business.uzh.ch jan-philipp.snizek at business.uzh.ch
Wed Sep 28 12:19:30 UTC 2016


> > > > >
> > > > > Hello
> > > > >
> > > > > I'm running  Samba 4.3.9 on Ubuntu 14 as domain member. Both
> > > > > Windows DCs are Win 2012 R2 in 2008 R2 mode.
> > > > >
> > > > > This is the smb.conf:
> > > > >
> > > > > [global]
> > > > >     workgroup = MYDOM
> > > > >     server string = Fileserver
> > > > >     netbios name = myhostname
> > > > >     winbind separator = +
> > > > >     security = ADS
> > > > >     admin users = %D+administrator, %D+backupmaster
> > > > >     realm = MYDOM.WHEREVER
> > > > >     kerberos method = secrets and keytab
> > > > >     winbind enum users = yes
> > > > >     winbind enum groups = yes
> > > > >     winbind nss info = template
> > > > >     winbind use default domain = no
> > > > >     winbind refresh tickets = true
> > > > >     winbind nested groups = yes
> > > > >     idmap config *:backend = rid
> > > > >     idmap config *:range = 100000-100000000
> > > > >     idmap config *:base_rid = 0
> > > > >     template shell = /usr/bin/nologin
> > > > >     template homedir = /home/%D/users/%U
> > > > >     obey pam restrictions = yes
> > > > >     allow trusted domains = no
> > > > >     client use spnego = yes
> > > > >     client signing = auto
> > > > >     preferred master = no
> > > > >     load printers = no
> > > > >     unix charset = UTF8
> > > > >     log file = /var/log/samba/log.%m
> > > > >     log level = 3
> > > > >     max log size = 50000
> > > > >     server max protocol = SMB3
> > > > >     map untrusted to domain = yes
> > > > >     log writeable files on exit = yes
> > > > >
> > > > > This is one of the many team share configs. They are all like
> > > > > this.
> > > > >
> > > > > [Team_XXX]
> > > > >     comment = Team XXX
> > > > >     path = "/home/teams1/team_xxx"
> > > > >     browseable = yes
> > > > >     write list = "@%D+team xxx"
> > > > >     admin users = @%D+domänen-admins
> > > > >     valid users = @%D+domänen-admins, "@%D+team xxx"
> > > > >     public = no
> > > > >     force group = "%D+team xxx"
> > > > >     directory mask = 0770
> > > > >     create mask = 0660
> > > > >
> > > > > When I as member of %D+team xxx create a new directory in this
> > > > > share, the permissions of the new directory become 750 instead of
> > > > > 770. New created files do get 660.
> > > > > I have tried force directory mode = 0770 to no effect. I've also
> > > > > tried inherit permissions = yes. New created files then get 660
> > > > > and directories get 750 instead of 770.
> > > > >
> > > > > Thanks for helping out.
> > > > >
> > > > > Best regards,
> > > > > Philipp
> > > > >
> > > >
> > > > Can I suggest you change your smb.conf to this:
> > > >
> > > > [global]
> > > >     netbios name = myhostname
> > > >     security = ADS
> > > >     workgroup = MYDOM
> > > >     realm = MYDOM.WHEREVER
> > > >     server string = Fileserver
> > > >
> > > >     log file = /var/log/samba/log.%m
> > > >     log level = 3
> > > >     max log size = 50000
> > > >
> > > >     winbind separator = +
> > > >     kerberos method = secrets and keytab
> > > >     winbind enum users = yes
> > > >     winbind enum groups = yes
> > > >     winbind refresh tickets = true
> > > >
> > > >     idmap config *:backend = tdb
> > > >     idmap config *:range = 2000-9999
> > > >
> > > >     idmap config MYDOM:backend = rid
> > > >     idmap config MYDOM:range = 100000-100000000
> > > >
> > > >     template shell = /usr/bin/nologin
> > > >     template homedir = /home/%D/users/%U
> > > >     obey pam restrictions = yes
> > > >     allow trusted domains = no
> > > >     preferred master = no
> > > >     load printers = no
> > > >     map untrusted to domain = yes
> > > >     log writeable files on exit = yes
> > > >
> > > > [Team_XXX]
> > > >     comment = Team XXX
> > > >     path = /home/teams1/team_xxx
> > > >     browseable = yes
> > > >     read only = no
> > > >
> > > >
> > > > Then read and follow this:
> > > >
> > > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> > >
> > > I've tried to run with POSIX ACLs to set permissions/ownerships on
the
> > > share directory only, "/home/teams1/team_xxx" in this example. This
> > > directory would get 0770 and with inherit permissions or directory
> > > mask = and create mask = my hopes were to achieve the correct
> > > permissions. Would that work with your suggestions? Following the
> > > link you've sent me I have the impression that I am leaving my
> > > concept. I don't want anyone to use Windows' Security tab, not even
> > > us admins.
> > >
> > > Thank you
> > > Philipp
> > >
> > >
> >
> > If you must use posix ACLs, see here:
> >
> > https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs
> >
>
> Yes, this is what I want.
> The global section I configured according to your suggestions, thank you
> for spotting all those needless default settings.
>
> My "testing" share now looks like this:
>
> [team_informatik]
>     comment = Team Informatik
>     path = /home/teams/team_informatik
>     browseable = no
>     valid users = +%D+"team informatik"
>     public = no
>
> chmod 2770 /home/teams/team_informatik
> smbcontrol all reload-config
>
> When I on my Win 10, 1511, client create a new folder in this share the
new
> folder's permissions are rwxr-s---.
>
> After adding force directory mode = 0770 to this section and reloading
the
> config a newly created folder still gets rwxr-s--- permissions. Members
of
> the same group cannot delete this folder.
> If I understand the bitwise OR-ing correctly this parameter should
> definitely override the permissions to 0770.
>
> What am I missing?
>

After some playing around with Posix ACLs and trying to follow the Samba
POSIX ACL wiki to the letter I found I cannot get this to work properly and
thus gave Windows ACLs a shot. This worked just fine from the start.
In order to eventually run just one ACL concpet I will have to change all
user homes and other shares from posix ACLs to Windows ACLs. I have not
worked before with getfacl/setfacl.
I wonder, is there something specific or special I have to consider?
Can I i.e. for the time of migration run a mixed style meaning some shares
remain posix acls and some become new windows acls just to see how things
behave?

Thanks,
Philipp







More information about the samba mailing list