[Samba] Share will Domain Users Full Control permissions, not accessible by domain user
Rowland Penny
rpenny at samba.org
Thu Feb 21 09:14:13 UTC 2019
On Wed, 20 Feb 2019 15:45:07 -0800
Mason Schmitt via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I'm really stumped and would greatly appreciate some help.
>
> *fileserver*
>
> - CentOS 7.6
> - smbd version 4.8.3 from the samba-4.8.3-4.el7.x86_64 EPEL package
> - Added as a domain member using the realm command and specifying
> the use of winbind, not sssd
>
>
> *# smb.conf file on fileserver*
>
> [global]
> kerberos method = system keytab
> workgroup = FTLC
> security = ads
> realm = AD.FTLCOMPUTING.COM
>
> # Logging
> log file = /var/log/samba/%m.log
> log level = 5
>
> # We're using the RID method of mapping SIDs to UID/GID
> idmap config FTLC : range = 2000000-2999999
> idmap config FTLC : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
>
> # All linux users, logging in using an AD account
> # will have their shell and home dir set as follows
> template shell = /bin/bash
> template homedir = /home/%U@%D
Nothing to do with your problem, but is the above line a typo ?
I would have expected the '@' to be a '/', in which case it is the
default, so you can remove the line.
> *# POSIX filesystem details (set using chown and chmod)*
>
> /srv/samba/users/
> drwxrwx---+ 2 root FTLC\domain admins.
>
> /srv/samba/shares/Operations/
> drwxrwx---. 2 root FTLC\domain admins
>
Here we come to what I think is your problem ;-)
If you examine the first set of permissions, they end with a '+', this
means that there are extended ACL's set.
The second set of permissions ends with a dot '.' and is something I
haven't seen before, so a quick google later and I can tell you that
you have selinux running, does that give you any hints ;-)
See here for more info:
https://superuser.com/questions/230559/what-does-the-dot-mean-at-the-end-of-rw-r-r-how-do-you-set-it-with-chmod
Rowland
More information about the samba
mailing list