[Samba] ACLs, groups and suid-bit?
Rowland penny
rpenny at samba.org
Tue Sep 8 13:08:38 UTC 2020
On 08/09/2020 13:55, Harald Hannelius wrote:
>
> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>>
>>> Hello,
>>>
>>> I have users in Samba AD with uid- and gidnumbers. I also have group
>>> objects with gidNumbers.
>>>
>>> I have a Samba member server (all servers Samba 4.9.5-Debian) that
>>> have one share and a lot of directories.
>>>
>>> The directory permissions are set as a specific group as owner, and
>>> the group write and suid bit are set.
>>>
>>> drwxrwsr-x 2 root thegroup 4096 Sep 8 15:25 groupdir
>>>
>>> This worked fine in Samba 3. However, now when people are storing
>>> files in the dir the file doesn't get group ownership 'thegroup' nor
>>> does it get write permission bit set.
>>>
>>> Is there a new and improved way to accomplish this now?
>>>
>>>
>> Can we see the smb.conf from your Unix domain member before we comment.
>
> [global]
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = Yes
> kerberos method = secrets and keytab
> load printers = No
> printcap name = /dev/null
> realm = SAD.DOMAIN.COM
> security = ADS
> username map = /etc/samba/user.map
> utmp = Yes
> winbind cache time = 20
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = SAD
> idmap config sad:unix_primary_group = yes
> idmap config sad:unix_nss_info = yes
> idmap config sad:range = 500-4000000
> idmap config sad:schema_mode = rfc2307
> idmap config sad:backend = ad
> idmap config * : range = 5000000-9000000
> idmap config * : backend = tdb
> map acl inherit = Yes
> printing = bsd
> vfs objects = acl_xattr
>
>
> [intra]
> create mask = 0665
> directory mask = 02775
> path = /tftpboot/intra
> read only = No
>
>
Is there some reason you started your uidNumber & gidNumber attributes
at 500 ?
The 'new and improved way' is to make use of this:
vfs objects = acl_xattr
You set the permissions from Windows, try reading this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland
More information about the samba
mailing list