[Samba] File/dir user permissions on Samba fileserver in DC

it at mdsdnr.ru it at mdsdnr.ru
Fri Mar 10 13:23:18 UTC 2017

Hi, aLL

Using Samba-4.3.5 as a AD-member - fileserver. It's running in OpenVZ 
container (ProxMox VE). Domain is also build on Samba-4.3.5 (another 
VM). Fileserver's VM is mounted with acl, user_xattr options, Samba 
compiled with ACL support.

There're domain users, for example, "usr1", "usr2". They're in domain 
group "dg1".

There's a filepath "/somepath/dir". Access to this directory is granted 
according to domain group membership. "usr1" can access "dir", another 
users from "dg1" also can access "dir", create files or directories into 
it. But none of "dg1" users (except "usr2" and root ofc) can't delete 
any files in this folder. Windows clients says "You must have 
permissions from usr2 to delete this file/directory". This is wrong.

Like "sticky bit" is set, but there's no it on file objects.

When file objects are created Samba sets next user rights:
:~# ls -l /somepath/dir

drwxrwx---  2 usr2  24 4096 mar 10 11:32 /somepath/dir
As we can see there, no SGUD bit on folders are set (and on parent 
folder too). Owner of all file objects is "usr2".
:~# getfacl /somepath/dir
# file: dir
# owner: usr2
# group: dg1

lsattr /somepath/dir also gives none bits are set.

Even if file object has 0777 rights - this doesn't help at all...


workgroup = WG
security = ADS
realm = WG.LOCAL

netbios name = FSRV
server role = auto
encrypt passwords = yes
auth methods = winbind

log level = 0 vfs:1

idmap config * : backend = rid
idmap config * : range = 300000-400000
idmap config * : base_rid = 0
idmap config * :schema_mode = rfc2307
idmap_ldb:use rfc2307 = yes

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

max log size = 1000

syslog = 1

passdb backend = tdbsam
obey pam restrictions = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
unix password sync = yes

load printers = no
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null

os level = 1
case sensitive = no
hide unreadable = yes
#hide unwriteable files = yes
log writeable files on exit = yes

deadtime = 600
ea support = yes

#======================= Share Definitions =======================
     comment = File share
     browseable = yes
     path = /somepath
     guest ok = no
     read only = no
     delete readonly = yes
     strict sync = yes
     sync always = yes

     inherit permissions = Yes
     inherit acls = Yes
     inherit owner = Yes
     map acl inherit = yes
     nt acl support = yes

     map system = yes
     veto files = /.snap/quota*/*.vmx/autorun.inf/

     valid users = +WG\all WG\admin
     admin users = +WG\it  WG\admin

     hide unreadable = yes
     vfs objects= acl_xattr

     access based share enum = yes
     map acl inherit = yes
     acl check permissions = yes
     map system = yes

What I'm doing wrong?

More information about the samba mailing list