[Samba] cannot set filesystem permissions on shares
Rowland penny
rpenny at samba.org
Thu Jul 4 10:40:19 UTC 2019
On 04/07/2019 10:31, Rowland penny via samba wrote:
> On 04/07/2019 10:22, Pisch Tamás via samba wrote:
>> ls -l
>> ...
>> drwxrwx--- 2 root A\domain users 4096 jún 26 15:52 users
>> What do you see with ls?
>> Maybe it is good on the filesystem, just the acl package shows it
>> incorreclty? Does Samba use acl too, and this is why I cannot see/set
>> the permissions from Windows?
>>
> I get the same as you:
>
> ls -lad testA
> drwxrwx--- 2 root A\domain users 4096 Jul 4 09:39 testA
> ls -lad testB
> drwxrwx--- 2 root A\domain users 4096 Jul 4 09:40 testB
>
> I suppose the only way to find out is to set up a Buster domain member
> on my domain, watch this space ;-)
>
> Rowland
>
>
>
OK, I set up Buster RC3 in a VM, used this smb.conf:
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind expand groups = 4
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 3000-7999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
template homedir = /home/users/%U
domain master = no
local master = no
preferred master = no
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[users]
path = /home/users
read only = No
the user.map is this:
!root = SAMDOM\Administrator
Joined to the domain and started Samba.
mkdir /home/users
chmod 0770 /home/users
chown "root:SAMDOM\domain users" /home/users
ls -lad /home/users
drwxrwx--- 2 root SAMDOM\domain_users 4096 Jul 4 11:12 /home/users
root at dbrc3:~# getfacl /home/users
getfacl: Removing leading '/' from absolute path names
# file: home/users
# owner: root
# group: SAMDOM\\domain_users
user::rwx
group::rwx
other::---
Go to a Win10 machine and log in as 'SAMDOM\Administrator'
Go to File explorer and navigate to the 'users' share on 'dbrc3'
I could add 'Domain Admins' to the 'Properties' on the share without any
problem.
Back to Buster machine:
root at dbrc3:~# ls -lad /home/users
drwxrwx---+ 2 root SAMDOM\domain_users 4096 Jul 4 11:12 /home/users
root at dbrc3:~# getfacl /home/users
getfacl: Removing leading '/' from absolute path names
# file: home/users
# owner: root
# group: SAMDOM\\domain_users
user::rwx
user:root:rwx
user:10512:rwx
user:10513:rwx
group::rwx
group:SAMDOM\\domain_admins:rwx
group:SAMDOM\\domain_users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:10512:rwx
default:group::r-x
default:group:SAMDOM\\domain_admins:rwx
default:group:SAMDOM\\domain_users:r-x
default:mask::rwx
default:other::r-x
So we can scratch the 'acl' changes.
you must have the 'acl' package installed to have 'getfacl', but is the
'attr' package installed ?
Rowland
More information about the samba
mailing list