[Samba] Retaining Permissions on a share

Rowland Penny rpenny at samba.org
Tue Jun 13 09:19:20 UTC 2017 

On Tue, 13 Jun 2017 09:15:40 +0200
Neil via samba <samba at lists.samba.org> wrote:

> Hi guys,
> 
> I have sernet-samba-ad-4.1.21-11.el6.x86_64 and I keep getting an
> issue whereby I reset the folder permissions to default by doing...
> 
> setfacl -R -k --remove-all HR
> setfacl -d -R --remove-all HR
> chown -R root:root HR
> chmod -R 777 HR
> 
> Then via my AD MMC Computer management, connect to server, then
> sharing,  I have user A and B part of a group called HR-Users, and I
> have the group HR-Users with full access on the folder called HR...
> 
> This initially works well, but slowly but surely I start seeing users
> start owning the files in the folder they save, and folders that user
> A creates, user B can't access etc, because when I look at the folder
> permissions it's owned by the user A etc.
> 
> This is my config...
> 
> 
> [global]
> workgroup = blabla
> realm = blabla.local
> netbios name = HEADOFFICE
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>         dns forwarder = 160.128.20.4
> ntp signd socket directory = /var/lib/samba/ntp_signd
>   interfaces = 160.128.20.8, 127.0.0.1
>   bind interfaces only = Yes
>         acl allow execute always = True
> log level = 3
> log file = /var/log/samba/log.%m
> max log size = 50
> debug timestamp = yes
>         winbind use default domain = yes
>         template homedir = /home/%ACCOUNTNAME%
>         template shell = /bin/false
> veto files = /copy.exe/host.exe/*.locky/*.lnk/*.ink/*.exe/*.scr/New
> Folder.exe/
>         vfs objects = acl_xattr
>         map acl inherit = Yes
>         store dos attributes = Yes
> 
> [HR]
>         path = /var/lib/samba/data/data/HR
>         read only = No
>         inherit acls = no
>         inherit owner = no
>         inherit permissions = no
> acl group control = yes
> 
> Sorry if this has been covered before but I can't seem to find a way
> how to prevent user A or B etc owning and preventing each other
> accessing the files in the same HR share.
> 
> Any assistance is appreciated.
> 
> Thank you.

OK, this a DC and therefore you will have to do things differently from
a Unix domain member.

You might as well remove these lines from [global]

    winbind use default domain = yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

The first doesn't work on a DC and the others are built into the
'samba' deamon and so could be causing problems.

You should also make the [HR] share look like this:

[HR]
        path = /var/lib/samba/data/data/HR
        read only = No

Now go and read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

You must use Windows ACLs on a DC.

Rowland

More information about the samba mailing list