[Samba] File/dir user permissions on Samba fileserver in DC
it at mdsdnr.ru
it at mdsdnr.ru
Fri Mar 10 13:23:18 UTC 2017
Hi, aLL
Using Samba-4.3.5 as a AD-member - fileserver. It's running in OpenVZ
container (ProxMox VE). Domain is also build on Samba-4.3.5 (another
VM). Fileserver's VM is mounted with acl, user_xattr options, Samba
compiled with ACL support.
There're domain users, for example, "usr1", "usr2". They're in domain
group "dg1".
There's a filepath "/somepath/dir". Access to this directory is granted
according to domain group membership. "usr1" can access "dir", another
users from "dg1" also can access "dir", create files or directories into
it. But none of "dg1" users (except "usr2" and root ofc) can't delete
any files in this folder. Windows clients says "You must have
permissions from usr2 to delete this file/directory". This is wrong.
Like "sticky bit" is set, but there's no it on file objects.
When file objects are created Samba sets next user rights:
===
:~# ls -l /somepath/dir
drwxrwx--- 2 usr2 24 4096 mar 10 11:32 /somepath/dir
===
As we can see there, no SGUD bit on folders are set (and on parent
folder too). Owner of all file objects is "usr2".
===
:~# getfacl /somepath/dir
# file: dir
# owner: usr2
# group: dg1
user::rwx
group::rwx
other::---
===
lsattr /somepath/dir also gives none bits are set.
Even if file object has 0777 rights - this doesn't help at all...
smb.conf:
===
[global]
workgroup = WG
security = ADS
realm = WG.LOCAL
netbios name = FSRV
server role = auto
encrypt passwords = yes
auth methods = winbind
log level = 0 vfs:1
idmap config * : backend = rid
idmap config * : range = 300000-400000
idmap config * : base_rid = 0
idmap config * :schema_mode = rfc2307
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
max log size = 1000
syslog = 1
passdb backend = tdbsam
obey pam restrictions = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
unix password sync = yes
load printers = no
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null
os level = 1
case sensitive = no
hide unreadable = yes
#hide unwriteable files = yes
log writeable files on exit = yes
deadtime = 600
ea support = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY..
#======================= Share Definitions =======================
[q]
comment = File share
browseable = yes
path = /somepath
guest ok = no
read only = no
delete readonly = yes
strict sync = yes
sync always = yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
map acl inherit = yes
nt acl support = yes
map system = yes
veto files = /.snap/quota*/*.vmx/autorun.inf/
valid users = +WG\all WG\admin
admin users = +WG\it WG\admin
hide unreadable = yes
vfs objects= acl_xattr
access based share enum = yes
map acl inherit = yes
acl check permissions = yes
map system = yes
===
What I'm doing wrong?
More information about the samba
mailing list