[Samba] cannot set filesystem permissions on shares

Pisch Tamás pischta at gmail.com
Wed Jul 3 13:45:39 UTC 2019 

> > On the file serever:
> > Collected config  --- 2019-07-03-10:27 -----------
> >
> > Hostname: srv
> > DNS Domain: a.b.hu
> > FQDN: srv.a.b.hu
> > ipaddress: 10.0.3.15 192.168.0.8
> > -----------
> > Samba is running as a Unix domain member
> > -----------
> >
> > This computer is running Debian 10.0 x86_64
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> > group default qlen 1000
> >      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >      inet 127.0.0.1/8 scope host lo
> >      inet6 ::1/128 scope host
> > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UP group default qlen 1000
> >      link/ether 08:00:27:c9:09:60 brd ff:ff:ff:ff:ff:ff
> >      inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8
> >         valid_lft 83319sec preferred_lft 83319sec
> >      inet6 fe80::a00:27ff:fec9:960/64 scope link
> > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UP group default qlen 1000
> >      link/ether 08:00:27:60:df:a1 brd ff:ff:ff:ff:ff:ff
> >      inet 192.168.0.8/24 brd 192.168.0.255 scope global enp0s3
> >      inet6 fe80::a00:27ff:fe60:dfa1/64 scope link
> > -----------
> >         Checking file: /etc/hosts
> > 127.0.0.1 localhost
> > 192.168.0.8 srv.a.b.hu srv
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> > -----------
> >         Checking file: /etc/resolv.conf
> > search a.b.hu tm.b.hu
> > nameserver 192.168.0.4
> > -----------
> >
> >         Checking file: /etc/samba/smb.conf
> > [global]
> > bind interfaces only = Yes
> > dos charset = CP852
> > interfaces = lo enp0s3
> > log file = /var/log/samba/%m.log
> > log level = 1
> > name resolve order = lmhosts host bcast
> > realm = A.B.HU
> > security = ADS
> > template homedir = /home/users/%U
> > template shell = /bin/bash
> > unix charset = UTF8
> > username map = /etc/samba/user.map
> > workgroup = A
> > idmap config a : range = 10000-999999
> > idmap config a : backend = rid
> > idmap config * : range = 3000-7999
> > idmap config * : backend = tdb
> > admin users = admin
> > create mask = 0770
> > csc policy = disable
> > directory mask = 0770
> > map acl inherit = Yes
> > store dos attributes = Yes
> > vfs objects = acl_xattr
> >
> > [users]
> > path = /home/users
> > read only = No
> > ...
> >
> > [wpkg]
> > path = /home/samba/wpkg
> > valid users = "@Domain Users"
> I wouldn't recommend using 'valid users' , but then I suppose this is
> what you are trying to fix
Ok, but this is a special share, I have problem with more imprtant
shares like users.

> > -----------
> > Running as Unix domain member and user.map detected.
> > Contents of /etc/samba/user.map
> > !root = A\Administrator
> > !root = A\admin
> Remove the second line, I would recommend only mapping 'Administrator'
> to 'root'
Later I would like to login to Windows clients with the admin user, so
this is why I included that too.

> > On dc1:
> > Collected config  --- 2019-07-03-10:46 -----------
> >
> > Hostname: dc1
> > DNS Domain: a.b.hu
> > FQDN: dc1.a.b.hu
> > ipaddress: 10.0.3.15 192.168.0.4
> > -----------
> > Samba is running as an AD DC
> > -----------
> >
> > This computer is running Debian 10.0 x86_64
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> > group default qlen 1000
> >      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >      inet 127.0.0.1/8 scope host lo
> >      inet6 ::1/128 scope host
> > 2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UP group default qlen 1000
> >      link/ether 08:00:27:b1:35:eb brd ff:ff:ff:ff:ff:ff
> >      inet 10.0.3.15/24 brd 10.0.3.255 scope global dynamic enp0s8
> >         valid_lft 76592sec preferred_lft 76592sec
> >      inet6 fe80::a00:27ff:feb1:35eb/64 scope link
> > 3: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UP group default qlen 1000
> >      link/ether 08:00:27:bf:f9:75 brd ff:ff:ff:ff:ff:ff
> >      inet 192.168.0.4/24 brd 192.168.0.255 scope global enp0s3
> >      inet6 fe80::a00:27ff:febf:f975/64 scope link
> > -----------
> >         Checking file: /etc/hosts
> > 127.0.0.1 localhost
> > 127.0.1.1 dc1.a.b.hu dc1
> Remove the '127.0.1.1' line and what ever requires it.
Ok, I removed. Debian installer creates that line.

> > 192.168.0.4 dc1.a.b.hu dc1
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> > -----------
> >         Checking file: /etc/resolv.conf
> > #domain b.hu
> > search a.b.hu tm.b.hu
> Remove the 'tm.b.hu'
We have two sites, connected with VPN, so we have two subnets. As I
know, I need this to reach hosts in tm.b.hu, without the tm.b.hu
postfix. I temporarily removed it, to test the result, but it didn't
help.

> > #nameserver 10.0.3.3
> > #nameserver 208.67.220.220
> > #nameserver 208.67.222.222
> > nameserver 192.168.0.4
> > -----------
> >
> >         Checking file: /etc/samba/smb.conf
> > [global]
> > bind interfaces only = Yes
> > dns forwarder = 208.67.220.220
> > interfaces = lo enp0s3
> The above line are okay
> > logon home = \\srv\users\%U
> > logon path = ""
> > name resolve order = lmhosts host bcast
> The above are not.
Ok, what do you recommend? I changed it after Rowland recommended not
to use WINS.

> > netbios name = DC1
> > realm = A.B.HU
> > server role = active directory domain controller
> > time server = Yes
> All DC's are time servers, just as long they are running an NTP server,
> it doesn't need setting in a DC smb.conf
Ok.
> > username map = /etc/samba/user.map
> No, you do not use a user.map on a DC, Administrator is mapped in idmap.ldb
Ok.
> > workgroup = A
> > idmap_ldb:use rfc2307 = yes
> > kernel oplocks = Yes
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/a.b.hu/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> > -----------
> > You have a user.map set in your smb.conf
> > This is not allowed because Samba is running as a DC
> > -----------
> > BIND_DLZ not detected in smb.conf
> >
> > Your script says that user.map is not allowed on a dc, but I don't
> > read it in the smb.conf manual.
> Good point, but you do not use one a Samba AD DC, for the reason given
> above ;-)

> Now after all changes Rowland suggested.
>
> Run this : getfacl /home/users
getfacl: Removing leading '/' from absolute path names
# file: home/users
# owner: root
# group: A\\domain\040admins
user::rwx
user:root:rwx
user:10512:rwx
group::rwx
group:A\\domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:A\\domain\040admins:rwx
default:mask::rwx
default:other::---

>
> There are 5 things you need to think in.
> 1) The folder rights
I havent used ACLs yet, I just followed Samba docs, and it says, I
shoud set folder rights from Windows, but I cannot.

> 2) The share rights
I've set it according to the Samba doc.

> 3) Posix or windows ACL's? ( use Windows ACL's my advice. )
Yes, that's what I wanted too.

> 4) Dont forget the "Primary Group".
Primary Group=default:group?

> 5) If you use chmod, you must re-apply the windows ACL again on share/security (file/folder) level.
So, chmod resets the permissions. Thanks, good to know it.

More information about the samba mailing list