[Samba] cannot set filesystem permissions on shares

Rowland penny rpenny at samba.org
Thu Jul 4 10:40:19 UTC 2019


On 04/07/2019 10:31, Rowland penny via samba wrote:
> On 04/07/2019 10:22, Pisch Tamás via samba wrote:
>> ls -l
>> ...
>> drwxrwx---   2 root A\domain users  4096 jún   26 15:52 users
>> What do you see with ls?
>> Maybe it is good on the filesystem, just the acl package shows it
>> incorreclty? Does Samba use acl too, and this is why I cannot see/set
>> the permissions from Windows?
>>
> I get the same as you:
>
> ls -lad testA
> drwxrwx--- 2 root A\domain users 4096 Jul  4 09:39 testA
> ls -lad testB
> drwxrwx--- 2 root A\domain users 4096 Jul  4 09:40 testB
>
> I suppose the only way to find out is to set up a Buster domain member 
> on my domain, watch this space ;-)
>
> Rowland
>
>
>
OK, I set up Buster RC3 in a VM, used this smb.conf:

[global]
     workgroup = SAMDOM
     security = ADS
     realm = SAMDOM.EXAMPLE.COM

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     server string = Samba 4 Client %h

     winbind expand groups = 4
     winbind refresh tickets = Yes
     winbind offline logon = yes
     winbind normalize names = Yes

     ## map ids outside of domain to tdb files.
     idmap config *:backend = tdb
     idmap config *:range = 3000-7999
     ## map ids from the domain  the ranges may not overlap !
     idmap config SAMDOM : backend = rid
     idmap config SAMDOM : range = 10000-999999
     template shell = /bin/bash
     template homedir = /home/users/%U

     domain master = no
     local master = no
     preferred master = no

     # user Administrator workaround, without it you are unable to set 
privileges
     username map = /etc/samba/user.map

     # For ACL support on domain member
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

     # Share Setting Globally
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes

     # disable printing completely
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes

[users]
     path = /home/users
     read only = No

the user.map is this:

!root = SAMDOM\Administrator

Joined to the domain and started Samba.

mkdir /home/users
chmod 0770 /home/users
chown "root:SAMDOM\domain users" /home/users

ls -lad /home/users
drwxrwx--- 2 root SAMDOM\domain_users 4096 Jul  4 11:12 /home/users
root at dbrc3:~# getfacl /home/users
getfacl: Removing leading '/' from absolute path names
# file: home/users
# owner: root
# group: SAMDOM\\domain_users
user::rwx
group::rwx
other::---

Go to a Win10 machine and log in as 'SAMDOM\Administrator'

Go to File explorer and navigate to the 'users' share on 'dbrc3'

I could add 'Domain Admins' to the 'Properties' on the share without any 
problem.

Back to Buster machine:

root at dbrc3:~# ls -lad /home/users
drwxrwx---+ 2 root SAMDOM\domain_users 4096 Jul  4 11:12 /home/users
root at dbrc3:~# getfacl /home/users
getfacl: Removing leading '/' from absolute path names
# file: home/users
# owner: root
# group: SAMDOM\\domain_users
user::rwx
user:root:rwx
user:10512:rwx
user:10513:rwx
group::rwx
group:SAMDOM\\domain_admins:rwx
group:SAMDOM\\domain_users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:10512:rwx
default:group::r-x
default:group:SAMDOM\\domain_admins:rwx
default:group:SAMDOM\\domain_users:r-x
default:mask::rwx
default:other::r-x

So we can scratch the 'acl' changes.

you must have the 'acl' package installed to have 'getfacl', but is the 
'attr' package installed ?

Rowland





More information about the samba mailing list