[Samba] Group Permissions Not Working
Rowland Penny
rpenny at samba.org
Tue Apr 30 18:27:34 UTC 2019
On Tue, 30 Apr 2019 17:51:36 +0000
"Banks, David (db2d)" <db2d at virginia.edu> wrote:
> Finally got winbind answering my authentication requests but the
> results are the same.
>
> [2019/04/30 13:50:31.616465,
> 3] ../source3/smbd/service.c:120(set_current_service) chdir
> (/srv/SITES) failed, reason: Permission denied
I was going to suggest you try this smb.conf:
[global]
security = ADS
realm = DOMAIN.COM
workgroup = DOMAIN
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 1000-50000
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 100000-500000
idmap config DOMAIN:schema_mode = rfc2307
winbind use default domain = yes
winbind refresh tickets = yes
template homedir = /home/%U
template shell = /bin/bash
client signing = yes
client ipc min protocol = SMB2
restrict anonymous = 2
disable netbios = yes
smb ports = 445
unix extensions = no
interfaces = lo bond0
bind interfaces only = yes
vfs objects = shadow_copy2 acl_xattr
### Previous Versions
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:format = %Y-%m-%d_%H:%M:%S_%Z
shadow:localtime = yes
### NT ACLs
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = windows
### ACLs
acl group control = yes
map acl inherit = Yes
store dos attributes = yes
### ABE
hide unreadable = yes
access based share enum = true
server string = %h server (Samba, Ubuntu)
dns proxy = no
#### Debugging/Accounting ####
log level = 3
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
obey pam restrictions = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
include = /etc/samba/smb.conf.%i
smb.conf.{SERVICE_IP}
[global]
interfaces = lo {SERVICE_IP}
log file = /var/log/samba/log.%i
max log size = 1000
keepalive = 60
deadtime = 10
[ADMIN]
comment = Administrative Share
path = /srv/ADMIN_SHARES
read only = no
[SITES]
comment = ASchool Website Folders
path = /srv/SITES
shadow:basedir = /srv/SITES
read only = no
wide links = yes
I was also going to suggest you read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
That was until I noticed this:
shadow:snapdir = .zfs/snapshot
Is the filesystem 'ZFS' ?
If so, you could try 'nfs4acl_xattr' instead of 'acl_xattr', but it
still might not work correctly.
Rowland
More information about the samba
mailing list