[Samba] Samba 4.6.2 does not inherit setgid bit (anymore)

[Lorenzo Delana]

thanks for suggestion, in other words you use only ACLs for users 
denying all for groups, unfortunately we had many group such as domain 
users, secretary, finance, etc belonging to users for which we need to 
apply at least 770 in order to gain a simplified permission management 
using groups

the actual dirty workaround I applied was to track new files/dir by 
tailing with follow ( tail -f ) a smbd_audit.log filtered through 
rsyslog for messages generated by samba full_audit configured to listen 
"create_file" event; the problem here is that sometime samba full_audit 
report the event of a file or folder created by the element isn't on the 
disk yet so as security checkpoint I ended to apply a chgrp -R root 
nightly on a daily basis.

all of these problems could easily resolved if there was existed an 
option such as an hypothetical "force item group" that allow me to force 
the group for created item ( note that the current one "force group" 
option not work for me because it apply as an impersonation of a group 
for the authenticated user generating more security problems ).


Lorenzo Delana |
|
On 02/02/2018 17:15, Dale Renton wrote:
>
>     have you found a solution that makes "force directory mode = 2770"
>     able to apply to new created folders ?
>
>
> We have noticed the same thing in CentOS 7. The setgid no longer works 
> like it did before, so now we create our shares like this following 
> the instructions from the wiki.
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>
>
> # chmod 700 /u01/test
> # chown root:root /u01/test
> # setfacl -m group::--- /u01/test
> # setfacl -m default:group::--- /u01/test
> # setfacl -m other::--- /u01/test
> # setfacl -m default:other::--- /u01/test
> # setfacl -m group:unixadmins:rwx /u01/test
> # setfacl -m default:group:unixadmins:rwx /u01/test
>
>
> smb.conf
>
>  [test]
>   comment = test
>   path = /u01/test
>   read only = No
>   inherit acls = yes
>
>
> Dale