[Samba] Samba 4.6.2 does not inherit setgid bit (anymore)

Vincent maillist at iveze.nl
Mon Feb 5 16:47:10 UTC 2018

Hi Lorenzo and Dale,

My setup is like Lorenzo's completely based on setgid being propagated. 
The filesystem should determine the group used starting at a certain 
directory. Different "root" directories have different groups, and 
security is based on groups, not users.

I tried all sorts of settings combinations, alseo "force directory mode 
= 2770", but none propagates setgid.

The odd thing is that it has worked fine for years on versions below 
4.2.10. Only after udating to 4.6.2 it completely stopped working. I 
wonder if it is a new feature to neglect setgid completely, or that it 
is a bug and that i may expect it working again in future versions.

Kind regards, Vincent

On 02/02/2018 18:04, Lorenzo Delana via samba wrote:
> thanks for suggestion, in other words you use only ACLs for users 
> denying all for groups, unfortunately we had many group such as domain 
> users, secretary, finance, etc belonging to users for which we need to 
> apply at least 770 in order to gain a simplified permission management 
> using groups
> the actual dirty workaround I applied was to track new files/dir by 
> tailing with follow ( tail -f ) a smbd_audit.log filtered through 
> rsyslog for messages generated by samba full_audit configured to 
> listen "create_file" event; the problem here is that sometime samba 
> full_audit report the event of a file or folder created by the element 
> isn't on the disk yet so as security checkpoint I ended to apply a 
> chgrp -R root nightly on a daily basis.
> all of these problems could easily resolved if there was existed an 
> option such as an hypothetical "force item group" that allow me to 
> force the group for created item ( note that the current one "force 
> group" option not work for me because it apply as an impersonation of 
> a group for the authenticated user generating more security problems ).
> Lorenzo Delana |
> |
> On 02/02/2018 17:15, Dale Renton wrote:
>>     have you found a solution that makes "force directory mode = 2770"
>>     able to apply to new created folders ?
>> We have noticed the same thing in CentOS 7. The setgid no longer 
>> works like it did before, so now we create our shares like this 
>> following the instructions from the wiki.
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
>> # chmod 700 /u01/test
>> # chown root:root /u01/test
>> # setfacl -m group::--- /u01/test
>> # setfacl -m default:group::--- /u01/test
>> # setfacl -m other::--- /u01/test
>> # setfacl -m default:other::--- /u01/test
>> # setfacl -m group:unixadmins:rwx /u01/test
>> # setfacl -m default:group:unixadmins:rwx /u01/test
>> smb.conf
>>  [test]
>>   comment = test
>>   path = /u01/test
>>   read only = No
>>   inherit acls = yes
>> Dale

More information about the samba mailing list