[Samba] ACLs, groups and suid-bit?

Harald Hannelius harald+samba at arcada.fi
Tue Sep 8 13:43:21 UTC 2020 

On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> On 08/09/2020 13:55, Harald Hannelius wrote:
>> 
>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>>> 
>>>> Hello,
>>>> 
>>>> I have users in Samba AD with uid- and gidnumbers. I also have group 
>>>> objects with gidNumbers.
>>>> 
>>>> I have a Samba member server (all servers Samba 4.9.5-Debian) that have 
>>>> one share and a lot of directories.
>>>> 
>>>> The directory permissions are set as a specific group as owner, and the 
>>>> group write and suid bit are set.
>>>> 
>>>>  drwxrwsr-x 2 root thegroup  4096 Sep  8 15:25 groupdir
>>>> 
>>>> This worked fine in Samba 3. However, now when people are storing files 
>>>> in the dir the file doesn't get group ownership 'thegroup' nor does it 
>>>> get write permission bit set.
>>>> 
>>>> Is there a new and improved way to accomplish this now?
>>>> 
>>>> 
>>> Can we see the smb.conf  from your Unix domain member before we comment.
>> 
>> [global]
>>     dedicated keytab file = /etc/krb5.keytab
>>     disable spoolss = Yes
>>     kerberos method = secrets and keytab
>>     load printers = No
>>     printcap name = /dev/null
>>     realm = SAD.DOMAIN.COM
>>     security = ADS
>>     username map = /etc/samba/user.map
>>     utmp = Yes
>>     winbind cache time = 20
>>     winbind enum groups = Yes
>>     winbind enum users = Yes
>>     winbind refresh tickets = Yes
>>     winbind use default domain = Yes
>>     workgroup = SAD
>>     idmap config sad:unix_primary_group = yes
>>     idmap config sad:unix_nss_info = yes
>>     idmap config sad:range = 500-4000000
>>     idmap config sad:schema_mode = rfc2307
>>     idmap config sad:backend = ad
>>     idmap config * : range = 5000000-9000000
>>     idmap config * : backend = tdb
>>     map acl inherit = Yes
>>     printing = bsd
>>     vfs objects = acl_xattr
>> 
>> 
>> [intra]
>>     create mask = 0665
>>     directory mask = 02775
>>     path = /tftpboot/intra
>>     read only = No
>> 
>> 
> Is there some reason you started your uidNumber & gidNumber attributes at 500 
> ?

Yes, our users' uidNumber range starts from a little over 500. This is 
baggage from the 1990's. I don't think Redhat's "start at 1000" was even 
thought of back then.

> The 'new and improved way' is to make use of this:
>
> vfs objects = acl_xattr

This doesn't say much to me (reading the man-page of smb.conf). Does it mean 
to store ACL's in the extra attributes in the underlying filesystem?

> You set the permissions from Windows, try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

If I don't have a Windows computer, can I use setfacl or chmod?

Can I just stop using ACL's and go back to the old way of reading the 
permissions from the unix permissions? User's don't know how to, don't have 
the interest to, or don't want to do this themselves. Nor do I want to 
manage the ACL's at all, most certainly not through a GUI (on Windows).

I have to test 'inherit permissions (S)' as well.

What I want is for new files in the directory to have the same (unix) group 
ownership as the directory has. And that they have write permission for that 
unix-group.

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list