[Samba] Permission issue with home directory and groups with deny access

doomas at gmx.ch doomas at gmx.ch
Sat Dec 12 18:23:25 UTC 2020 

Am 12.12.20 um 18:06 schrieb Rowland penny via samba:
> On 12/12/2020 16:51, Thomas Galliker via samba wrote:
>> Hello,
>>   I have a somewaht strange permission issue on my samba 
>> fileserver(4.9.5) joined to a samba ad server(4.12.7).
>>
>> root at srv-vir-009:/srv/files/user/schueler# getfacl t.galliker7
>> # file: t.galliker7
>> # owner: administrator
>> # group: domain\040users
>> user::rwx
>> user:10512:rwx
>> user:t.galliker:rwx
>> user:11223:r-x
>> user:11224:rwx
>> user:11225:rwx
>
> Why are your users being shown as numbers and not names ?
>
> Please post the smb.conf files from the DC and Unix domain member.
>
> Rowland
>
>
>
I don't know. The numbers match however with getent output:

#getent group
...
share_schueler_rw:x:11224:
nxc_grp_benutzer:x:11161:
nxc_grp_schueler:x:11162:
share_benutzer_d:x:11226:
share_benutzer_r:x:11227:
share_config_rwx:x:11213:
share_klassen_rw:x:11234:
share_lehrer_rwx:x:11181:
share_schueler_d:x:11222:
share_schueler_r:x:11223:
...


smb.conf( fileserver samba 4.9.5)
[global]
         security = ADS
         netbios name = SRV-VIR-009
         realm = LAN.SCHULEBURG.CH
         server role = member server
         workgroup = SB

         # Logging
         log file = /var/log/samba/%m.log
         log level = 4

         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes

         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab

#        username map = /etc/samba/user.map
         hide files = /lost+found/

         winbind enum users = yes
         winbind enum groups = yes
         winbind refresh tickets = Yes
         winbind use default domain = yes

         # The following lines disabling printing completly
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

         # Default idmap configuration using rid mapping
         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config SB:backend = rid
         idmap config SB:range = 10000-999999

# Share configuration
[benutzer]
         path = /srv/files/user/benutzer
         read only = no
         browsable = yes
         hide unreadable = yes

[klassen]
         path = /srv/files/user/klassen
         read only = no
         browsable = yes
         hide unreadable = yes

[schueler]
         path = /srv/files/user/schueler
         read only = no
         browsable = yes
         hide unreadable = yes

[sekretariat]
         path = /srv/files/share/sekretariat
         read only = no
         browsable = yes
         hide unreadable = yes


smb.conf dc(samba 4.12.7)
[global]
         workgroup = SB
         realm = LAN.SCHULEBURG.CH
         netbios name = SRV-VIRT-02
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes

[netlogon]
         path = /var/lib/samba/sysvol/lan.schuleburg.ch/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

Thomas

More information about the samba mailing list