[Samba] cannot set filesystem permissions on shares

L.P.H. van Belle belle at bazuin.nl
Wed Jul 3 11:34:06 UTC 2019


Finaly, i was waiting for this one.  ;-) 

Now after all changes Rowland suggested. 

Run this : getfacl /home/users

Show the output. 

There are 5 things you need to think in. 
1) The folder rights 
2) The share rights 
3) Posix or windows ACL's? ( use Windows ACL's my advice. ) 
4) Dont forget the "Primary Group".
5) If you use chmod, you must re-apply the windows ACL again on share/security (file/folder) level. 


Thats why i suggest, something like this. :

getfacl /home/users/
getfacl: Removing leading '/' from absolute path names
# file: home/samba/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:NT\040AUTHORITY\134system:rwx
group:NT\040AUTHORITY\134authenticated\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:NT\040AUTHORITY\134system:rwx
default:group:NT\040AUTHORITY\134authenticated\040users:r-x
default:mask::rwx
default:other::---

There is more, but im called for a meeting ...

So sofar, 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: woensdag 3 juli 2019 13:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] cannot set filesystem permissions on shares
> 
> On 03/07/2019 10:49, Pisch Tamás via samba wrote:
> > Is there anything in any of the logs, you may have to to 
> turn up the log
> > I tried:
> > log level = 4 acls 10
> > But I didn't find anything interesting. What log level 
> settings would
> > you recommend?
> Try raising it one number at time, but be aware you will get 
> larger and 
> larger logs.
> > On the file serever:
> > Collected config  --- 2019-07-03-10:27 -----------
> >
> > Hostname: srv
> > DNS Domain: a.b.hu
> > FQDN: srv.a.b.hu
> > ipaddress: 10.0.3.15 192.168.0.8
> > -----------
> > Samba is running as a Unix domain member
> > -----------
> >
> > This computer is running Debian 10.0 x86_64
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> > group default qlen 1000
> >      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >      inet 127.0.0.1/8 scope host lo
> >      inet6 ::1/128 scope host
> > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
> pfifo_fast
> > state UP group default qlen 1000
> >      link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff
> >      inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8
> >         valid_lft 83319sec preferred_lft 83319sec
> >      inet6 fe80::a00:27ff:fec9:960/64 scope link
> > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
> pfifo_fast
> > state UP group default qlen 1000
> >      link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff
> >      inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3
> >      inet6 fe80::a00:27ff:fe60:dfa1/64 scope link
> > -----------
> >         Checking file: /etc/hosts
> > 127.0.0.1 localhost
> > 192.168.0.8 srv.a.b.hu srv
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> > -----------
> >         Checking file: /etc/resolv.conf
> > search a.b.hu tm.b.hu
> > nameserver 192.168.0.4
> > -----------
> >
> >         Checking file: /etc/samba/smb.conf
> > [global]
> > bind interfaces only = Yes
> > dos charset = CP852
> > interfaces = lo enp0s3
> > log file = /var/log/samba/%m.log
> > log level = 1
> > name resolve order = lmhosts host bcast
> > realm = A.B.HU
> > security = ADS
> > template homedir = /home/users/%U
> > template shell = /bin/bash
> > unix charset = UTF8
> > username map = /etc/samba/user.map
> > workgroup = A
> > idmap config a : range = 10000-999999
> > idmap config a : backend = rid
> > idmap config * : range = 3000-7999
> > idmap config * : backend = tdb
> > admin users = admin
> > create mask = 0770
> > csc policy = disable
> > directory mask = 0770
> > map acl inherit = Yes
> > store dos attributes = Yes
> > vfs objects = acl_xattr
> >
> > [users]
> > path = /home/users
> > read only = No
> > ...
> >
> > [wpkg]
> > path = /home/samba/wpkg
> > valid users = "@Domain Users"
> I wouldn't recommend using 'valid users' , but then I suppose this is 
> what you are trying to fix
> > -----------
> > Running as Unix domain member and user.map detected.
> > Contents of /etc/samba/user.map
> > !root = A\Administrator
> > !root = A\admin
> 
> Remove the second line, I would recommend only mapping 
> 'Administrator' 
> to 'root'
> 
> > On dc1:
> > Collected config  --- 2019-07-03-10:46 -----------
> >
> > Hostname: dc1
> > DNS Domain: a.b.hu
> > FQDN: dc1.a.b.hu
> > ipaddress: 10.0.3.15 192.168.0.4
> > -----------
> > Samba is running as an AD DC
> > -----------
> >
> > This computer is running Debian 10.0 x86_64
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> > group default qlen 1000
> >      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >      inet 127.0.0.1/8 scope host lo
> >      inet6 ::1/128 scope host
> > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
> pfifo_fast
> > state UP group default qlen 1000
> >      link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff
> >      inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8
> >         valid_lft 76592sec preferred_lft 76592sec
> >      inet6 fe80::a00:27ff:feb1:35eb/64 scope link
> > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
> pfifo_fast
> > state UP group default qlen 1000
> >      link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff
> >      inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3
> >      inet6 fe80::a00:27ff:febf:f975/64 scope link
> > -----------
> >         Checking file: /etc/hosts
> > 127.0.0.1 localhost
> > 127.0.1.1 dc1.a.b.hu dc1
> Remove the '127.0.1.1' line and what ever requires it.
> > 192.168.0.4 dc1.a.b.hu dc1
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> > -----------
> >         Checking file: /etc/resolv.conf
> > #domain b.hu
> > search a.b.hu tm.b.hu
> Remove the 'tm.b.hu'
> > #nameserver 10.0.3.3
> > #nameserver 208.67.220.220
> > #nameserver 208.67.222.222
> > nameserver 192.168.0.4
> > -----------
> >
> >         Checking file: /etc/samba/smb.conf
> > [global]
> > bind interfaces only = Yes
> > dns forwarder = 208.67.220.220
> > interfaces = lo enp0s3
> The above line are okay
> > logon home = \\srv\users\%U
> > logon path = ""
> > name resolve order = lmhosts host bcast
> The above are not.
> > netbios name = DC1
> > realm = A.B.HU
> > server role = active directory domain controller
> > time server = Yes
> All DC's are time servers, just as long they are running an 
> NTP server, 
> it doesn't need setting in a DC smb.conf
> > username map = /etc/samba/user.map
> No, you do not use a user.map on a DC, Administrator is 
> mapped in idmap.ldb
> > workgroup = A
> > idmap_ldb:use rfc2307 = yes
> > kernel oplocks = Yes
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/a.b.hu/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> > -----------
> > You have a user.map set in your smb.conf
> > This is not allowed because Samba is running as a DC
> > -----------
> > BIND_DLZ not detected in smb.conf
> >
> > Your script says that user.map is not allowed on a dc, but I don't
> > read it in the smb.conf manual.
> 
> Good point, but you do not use one a Samba AD DC, for the 
> reason given 
> above ;-)
> 
> Try fixing the above problems.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list