[Samba] Group with RWX acl cannot delete as file/dir owned by user with RWX

G33k pHr33k g33kphr33k at gmail.com
Tue Nov 3 12:26:51 UTC 2020

Thank you for any help with this:
Using xattr so that I can manage a domain joined Samba server share
with AD permissions.  The underlying OS file perms are 777 and I have
set the share with -R a+w to make sure that permissions for owner and
group are the same.  Getfacl returns:

# file: deleteme.txt

# owner: root
# group: group_access 





>From Windows, if I try to delete the file in the share it throws back
that the file is owned by Unix User\root and cannot be deleted without
permission.  I am a member of group_access on AD and should have full
rights over the file.  What have I done wrong?  This is affecting all
shares and files.  If I use the Windows Share management and set
permissions then it'll work fine until new files and folders are added.
Version 4.9.5-Debian
smb.conf (with a little redaction):----------------------------------
-----#======================= Global Settings =======================


        log level = 1

        writeable = yes

        delete veto files = yes

        map acl inherit = yes

        inherit acls = yes

        create mode = 0666

        pam password change = yes

        username map = /etc/samba/user.map

        map to guest = bad user

        #winbind enum users = yes

        security = ADS

        log file = /var/log/samba/log.%m

        idmap config company : backend = rid

        realm = COMPANY.LTD

        passwd program = /usr/bin/passwd %u

        vfs objects = acl_xattr

        server string = Catapult Server

        #store dos attributes = yes

        winbind use default domain = yes

        passdb backend = tdbsam

        panic action = /usr/share/samba/panic-action %d

        delete readonly = yes

        acl_xattr:ignore system acls = yes

        server role = member server

        dns proxy = no

        workgroup = COMPANY 
        unix extensions = no

        obey pam restrictions = yes

        unix charset = UTF-8

        idmap config * : range = 3000-7999

        veto files =
/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash
Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/._.DS_Store/.DS_S

        force directory mode = 02777

        usershare allow guests = yes

        idmap config * : backend = tdb

        max log size = 1000

        protocol = SMB2

        directory mode = 02777

        force create mode = 0666

        unix password sync = yes

        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

        idmap config company : range = 10000-999999

        template shell = /bin/bash

        template homedir = /home/%U

        wide links = no

        #winbind enum groups = yes

        load printers = no

        printing = bsd

        printcap = /dev/null

        disable spoolss = yes

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will
part of

# This will prevent nmbd to search for NetBIOS names through DNS.

#### Debugging/Accounting ####

# If you are using encrypted passwords, Samba will need to know what

# password database type you are using.   

############ Misc ############

# Some defaults for winbind (make sure you're not using the ranges

# for something else.)

#   idmap uid = 10000-20000

#   idmap gid = 10000-20000

# Allow users who've been granted usershare privileges to create

# public shares, not just authenticated ones

# Templates for shell and home

# Usr Map

#socket options = SO_SNDBUF=33554432 TCP_NODELAY

#======================= Share Definitions =======================


       path = /mnt/borgrecovery

       read only = yes

       guest ok = yes

       writable = no


       path = /srv/samba/CompanyShare 
       read only = no

How do I defeat the file ownership with the group being able to also

More information about the samba mailing list