[Samba] Group Permissions Not Working

Rowland Penny rpenny at samba.org
Tue Apr 30 18:27:34 UTC 2019 

On Tue, 30 Apr 2019 17:51:36 +0000
"Banks, David (db2d)" <db2d at virginia.edu> wrote:

> Finally got winbind answering my authentication requests but the
> results are the same.
> 
> [2019/04/30 13:50:31.616465,
> 3] ../source3/smbd/service.c:120(set_current_service) chdir
> (/srv/SITES) failed, reason: Permission denied

I was going to suggest you try this smb.conf:

[global]
       security = ADS
       realm = DOMAIN.COM
       workgroup = DOMAIN
       kerberos method = secrets and keytab

       idmap config *:backend = tdb
       idmap config *:range = 1000-50000
       idmap config DOMAIN:backend = ad
       idmap config DOMAIN:range = 100000-500000
       idmap config DOMAIN:schema_mode = rfc2307

       winbind use default domain = yes
       winbind refresh tickets = yes

       template homedir = /home/%U
       template shell = /bin/bash
       client signing = yes
       client ipc min protocol = SMB2

       restrict anonymous = 2
       disable netbios = yes
       smb ports = 445
       unix extensions = no

       interfaces = lo bond0
       bind interfaces only = yes

       vfs objects = shadow_copy2 acl_xattr

       ### Previous Versions
       shadow:snapdir = .zfs/snapshot
       shadow:sort = desc
       shadow:format = %Y-%m-%d_%H:%M:%S_%Z
       shadow:localtime = yes

       ### NT ACLs
       acl_xattr:ignore system acls = yes
       acl_xattr:default acl style = windows

       ### ACLs
       acl group control = yes
       map acl inherit = Yes
       store dos attributes = yes

       ### ABE
       hide unreadable = yes
       access based share enum = true

       server string = %h server (Samba, Ubuntu)
       dns proxy = no

       #### Debugging/Accounting ####
       log level = 3
       log file = /var/log/samba/log.%m
       max log size = 1000
       panic action = /usr/share/samba/panic-action %d

       ####### Authentication #######
       obey pam restrictions = yes
       passwd program = /usr/bin/passwd %u
       passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
       pam password change = yes
       map to guest = bad user

       include = /etc/samba/smb.conf.%i


smb.conf.{SERVICE_IP}
[global]
	interfaces = lo {SERVICE_IP}
	log file = /var/log/samba/log.%i
	max log size = 1000
	keepalive = 60
	deadtime = 10

[ADMIN]
	comment = Administrative Share
	path = /srv/ADMIN_SHARES
	read only = no

[SITES]
	comment = ASchool Website Folders
	path = /srv/SITES
	shadow:basedir = /srv/SITES
    read only = no
	wide links = yes

I was also going to suggest you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

That was until I noticed this:

shadow:snapdir = .zfs/snapshot

Is the filesystem 'ZFS' ?

If so, you could try 'nfs4acl_xattr' instead of 'acl_xattr', but it
still might not work correctly.

Rowland

More information about the samba mailing list