[Samba] cannot set filesystem permissions on shares

L. van Belle belle at samba.org
Thu Jul 4 13:32:27 UTC 2019 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Pisch Tamás via samba
....
> 
> Unbelievable: I remowed every settings from the samba shares, except
> path and read only in smb.conf. It turned out that I can set the
> fliesystem permissions of every share, except the users share!
> I checked the acls and xattrs of the folders. Only the users share had
> xattr entry. I deleted that setting, but it didn't help. I compared
> the acls of the other shares with the users share, but no difference.
> Is there users share related settings in smb.conf that maybe 
> prohibit my access?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


No, these are just wrong rights on you file system. 

A simple test, set /home/users to 777, create a folder from within windows. 
Use getfacl to check the rights. 

Now, did you change the "share" security? 

One of you problems is, at least what could be, due to all the attempts your
acl might be messed up. 

I was a bit buzy, still im but i saw you message on the debian bug list and
here, so lets work through this. 

( from yesterday. ) 
>> There are 5 things you need to think in.
>> 1) The folder rights
>I havent used ACLs yet, I just followed Samba docs, and it says, I
>shoud set folder rights from Windows, but I cannot.

Yes, you used the samba docs, that good.
https://wiki.samba.org/index.php/User_Home_Folders


>> 2) The share rights
>I've set it according to the Samba doc, try this. 

Remove domain users/change
Remove domain admins/Full
Add Everyone/Full  ( or Authenticated Users/Full ) 

Just so you can test a bit.. And see which rights are set on created
folders. 

Now even if the share security is set to everyone, as long as you dont set
777 on /home/users your fine here. 
Minimaal needed is 775, i preffer 771
But you can use this to test, set everything to 777 and see what a new
folder gets with getfacl. 

>> 3) Posix or windows ACL's? ( use Windows ACL's my advice. )
>Yes, that's what I wanted too.
Ok, good. And yes, we know we have to update the wiki. 
Most people do mix these up. 

>> 4) Dont forget the "Primary Group".

No, the primary group, is windows is always ( by default ) Domain users, for
every user ( even Administrator ) 
Where needed, and what i do recommend, if you use your windows users also
within linux ( with ssh for example ),
then do set the unix_primary group to "domain users". 

Then after that, use other groups to secure folders and use Creator
Owner/Group to allow everyone to change files/folders in the folder. 
chmod 4770 gives creator owner and creator group 

> 5) If you use chmod, you must re-apply the windows ACL again on
share/security (file/folder) level.
So, chmod resets the permissions. Thanks, good to know it.
Best tip, try to learn getfacl setfacl. 
You can start a setup with chmod, then finish it from within windows. 

Then next email on the list. 

Short response on the smb.conf
workgroup = A
idmap config a : range = 10000-999999

I assume this is a typo, so this is really.. 
workgroup = A
idmap config A : range = 10000-999999

Did you notice the A and a change, i dont know if, conflicts, but a thing i
noticed.

Then next email on the list. 
>> >> Run this : getfacl /home/users
>> > getfacl: Removing leading '/' from absolute path names
>> > # file: home/users
>> > # owner: root
>> > # group: A\\domain\040admins
>> > user::rwx
>> > user:root:rwx
>> > user:10512:rwx
>> > group::rwx
>> > group:A\\domain\040admins:rwx
>> > mask::rwx
>> > other::---
>> > default:user::rwx
>> > default:user:root:rwx
>> > default:group::rwx
>> > default:group:A\\domain\040admins:rwx
>> > default:mask::rwx
>> > default:other::---
>>
>> Hmm, have you done something like running 'setfacl' on the directory ?
>No.

That most probley, happend after you changes a right from within windows. 
Check who user 10512 is and you know for sure. 
I suspect Adminstrator or Admin, if its Administrator ,then, the one should
not have a UID. 

Next e-mail
As concluded there is no problem with acl packages between buster and
stretch.

Next e-mail
Now, last, if you want to run buster, thats fine, i do still recommend
stretch untill buster is release. 
You can run stretch with 4.9.5 ( backported from buster ) or 4.9.11 ( out
today, max few hours ). Or 4.10.5
Thats a bit up 2 you. 

And, as suggested, yes, i also recommend a higher samba version then the
official debians. 
This is mainly because, a bit of debian policy, and the fast development of
Samba. 
Debian is low on maintainers and im not ready yet to to also join the debian
packagers. 

Thats why Rowland (and I) say, you could use higher samba package. ( my
packages ). 

Rowland, send him the mkhomedir script, i dont believe this server is in
production yet, so it a really good one to test it on. 
IF Pisch want to..  


Greetz, 

Louis

More information about the samba mailing list