[Samba] Samba not respecting directory acls inside a share

Jeremy Allison jra at samba.org
Tue Nov 20 19:27:51 UTC 2018

On Tue, Nov 20, 2018 at 07:19:40PM +0100, Fabian Fritz via samba wrote:
> Hi,
> we are running Samba 4.9.2 on Solaris 10 connected to AD as a member
> with some share:
> [refb]
> path = /samba/refb
> browseable = no
> valid users = +"AM\refb_users"
> writeable = yes
> force user = AM\qui
> force group = AM\refb_users
> All the samba users and groups come from AD through nss_winbind.
> Inside /samba/refb/ I created a sub directory test_a and set the owner
> (in Solaris via chown) to AM\refba_users. I also set chmod 770. My
> assumption would be that anyone that is a member of group refb_users
> should be able to access the share and those who are also members of
> the group refba_users should be able to read and write to the
> directory test_a.
> But actually when I access the share as a member of refb_users (which
> works) on a Windows Client I am also able to access the directory
> test_a, even though I am not a member of the owner group refba_users.
> I would expect that Samba examines the POSIX owner group and denies
> access to anyone who is not a member of that group.

Anyone who access the share is being forced to be

uid = AM\qui
primary gid = AM\refb_users

so all users accessing this share are being seen
as the same user/group. That's what setting "force user"
and "force group" does.

More information about the samba mailing list