[Samba] Permission issue with home directory and groups with deny access

doomas at gmx.ch doomas at gmx.ch
Sat Dec 12 22:22:49 UTC 2020 

Am 12.12.20 um 19:22 schrieb Rowland penny via samba:
> On 12/12/2020 17:48, doomas at gmx.ch wrote:
>>
>>>
>>>
>>>
>> I don't know. The numbers match however with getent output:
>>
>> #getent group
>> ...
>> share_schueler_rw:x:11224:
>> nxc_grp_benutzer:x:11161:
>> nxc_grp_schueler:x:11162:
>> share_benutzer_d:x:11226:
>> share_benutzer_r:x:11227:
>> share_config_rwx:x:11213:
>> share_klassen_rw:x:11234:
>> share_lehrer_rwx:x:11181:
>> share_schueler_d:x:11222:
>> share_schueler_r:x:11223:
>> ...
>
> Ah, I see the problem now, somehow you seem to have added the groups
> as users, now on Windows this wouldn't be a problem because Windows
> allows groups to own things, but Unix normally doesn't. I say normally
> because a Samba AD DC does allow groups to own things (just as long as
> you do not add a gidNumber to the group). I would revisit the point
> where you added the groups to the share (Actually, why did you add the
> groups?) and ensure that they are added as groups and not users.
>
> Rowland
>
>
>
I've set the permissions for the share on windows in the "Advanced
Security Settings". All groups that I assign this way will be added
automatically also as user (eg: "user:11123:rwx") to the ACL. I thought
this is normal. The same behavior I see on 3 other samba installations
that i manage(and all is running smoothly since many years)

I add 4 groups (deny, read, write, full) on every share(except user home
directories). It's just a way to manage the access privileges on shares.
If they are there from the beginning I almost never need to touch the
access rights on a share again. I just add user/groups to this 4 groups
as needed.

This is just the first time I added this groups(deny, read, write, full)
to a share for user home directories, because I need to allow certain
groups/user to access all the home directories. And so I stumbled upon
this problem that when the "Deny Group"(Denies all privileges on the
share. It is just an empty group with no group/users assigned) is added
to the share, the home directory creation with " Active Directory Users
and Computers" seems to not  setup the permissions on the folder properly.

Like I said, it's not really a big issue for me. I just don't add the
"Deny Group" on a share for user home folders. It seems to me just like
a bug(Maybe not even in samba, I try to test this next week on an
windows server).

Thomas

More information about the samba mailing list