[Samba] ACLs, groups and suid-bit?
harald+samba at arcada.fi
Tue Sep 8 13:43:21 UTC 2020
On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> On 08/09/2020 13:55, Harald Hannelius wrote:
>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>>> I have users in Samba AD with uid- and gidnumbers. I also have group
>>>> objects with gidNumbers.
>>>> I have a Samba member server (all servers Samba 4.9.5-Debian) that have
>>>> one share and a lot of directories.
>>>> The directory permissions are set as a specific group as owner, and the
>>>> group write and suid bit are set.
>>>> drwxrwsr-x 2 root thegroup 4096 Sep 8 15:25 groupdir
>>>> This worked fine in Samba 3. However, now when people are storing files
>>>> in the dir the file doesn't get group ownership 'thegroup' nor does it
>>>> get write permission bit set.
>>>> Is there a new and improved way to accomplish this now?
>>> Can we see the smb.conf from your Unix domain member before we comment.
>> dedicated keytab file = /etc/krb5.keytab
>> disable spoolss = Yes
>> kerberos method = secrets and keytab
>> load printers = No
>> printcap name = /dev/null
>> realm = SAD.DOMAIN.COM
>> security = ADS
>> username map = /etc/samba/user.map
>> utmp = Yes
>> winbind cache time = 20
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind refresh tickets = Yes
>> winbind use default domain = Yes
>> workgroup = SAD
>> idmap config sad:unix_primary_group = yes
>> idmap config sad:unix_nss_info = yes
>> idmap config sad:range = 500-4000000
>> idmap config sad:schema_mode = rfc2307
>> idmap config sad:backend = ad
>> idmap config * : range = 5000000-9000000
>> idmap config * : backend = tdb
>> map acl inherit = Yes
>> printing = bsd
>> vfs objects = acl_xattr
>> create mask = 0665
>> directory mask = 02775
>> path = /tftpboot/intra
>> read only = No
> Is there some reason you started your uidNumber & gidNumber attributes at 500
Yes, our users' uidNumber range starts from a little over 500. This is
baggage from the 1990's. I don't think Redhat's "start at 1000" was even
thought of back then.
> The 'new and improved way' is to make use of this:
> vfs objects = acl_xattr
This doesn't say much to me (reading the man-page of smb.conf). Does it mean
to store ACL's in the extra attributes in the underlying filesystem?
> You set the permissions from Windows, try reading this:
If I don't have a Windows computer, can I use setfacl or chmod?
Can I just stop using ACL's and go back to the old way of reading the
permissions from the unix permissions? User's don't know how to, don't have
the interest to, or don't want to do this themselves. Nor do I want to
manage the ACL's at all, most certainly not through a GUI (on Windows).
I have to test 'inherit permissions (S)' as well.
What I want is for new files in the directory to have the same (unix) group
ownership as the directory has. And that they have write permission for that
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
More information about the samba