[Samba] Samba not respecting directory acls inside a share

Rowland Penny rpenny at samba.org
Tue Nov 20 19:32:36 UTC 2018


On Tue, 20 Nov 2018 11:27:51 -0800
Jeremy Allison via samba <samba at lists.samba.org> wrote:

> On Tue, Nov 20, 2018 at 07:19:40PM +0100, Fabian Fritz via samba
> wrote:
> > Hi,
> > 
> > we are running Samba 4.9.2 on Solaris 10 connected to AD as a member
> > with some share:
> > 
> > [refb]
> > path = /samba/refb
> > browseable = no
> > valid users = +"AM\refb_users"
> > writeable = yes
> > force user = AM\qui
> > force group = AM\refb_users
> > 
> > All the samba users and groups come from AD through nss_winbind.
> > 
> > Inside /samba/refb/ I created a sub directory test_a and set the
> > owner (in Solaris via chown) to AM\refba_users. I also set chmod
> > 770. My assumption would be that anyone that is a member of group
> > refb_users should be able to access the share and those who are
> > also members of the group refba_users should be able to read and
> > write to the directory test_a.
> > 
> > But actually when I access the share as a member of refb_users
> > (which works) on a Windows Client I am also able to access the
> > directory test_a, even though I am not a member of the owner group
> > refba_users. I would expect that Samba examines the POSIX owner
> > group and denies access to anyone who is not a member of that group.
> 
> Anyone who access the share is being forced to be
> 
> uid = AM\qui
> primary gid = AM\refb_users
> 
> so all users accessing this share are being seen
> as the same user/group. That's what setting "force user"
> and "force group" does.
> 

You beat me to it Jeremy ;-)
The OP would probably be better of doing two things, use two shares and
use Windows ACL's.

Rowland



More information about the samba mailing list