[Samba] ACLs, groups and suid-bit?
Harald Hannelius
harald+samba at arcada.fi
Tue Sep 8 13:52:53 UTC 2020
On Tue, 8 Sep 2020, Harald Hannelius via samba wrote:
> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>> On 08/09/2020 13:55, Harald Hannelius wrote:
>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I have users in Samba AD with uid- and gidnumbers. I also have group
>>>>> objects with gidNumbers.
>>>>>
>>>>> I have a Samba member server (all servers Samba 4.9.5-Debian) that have
>>>>> one share and a lot of directories.
>>>>>
>>>>> The directory permissions are set as a specific group as owner, and the
>>>>> group write and suid bit are set.
>>>>>
>>>>> drwxrwsr-x 2 root thegroup 4096 Sep 8 15:25 groupdir
>>>>>
>>>>> This worked fine in Samba 3. However, now when people are storing files
>>>>> in the dir the file doesn't get group ownership 'thegroup' nor does it
>>>>> get write permission bit set.
>>>>>
>>>>> Is there a new and improved way to accomplish this now?
>>>>>
>>>>>
>>>> Can we see the smb.conf from your Unix domain member before we comment.
>>>
>>> [global]
>>> dedicated keytab file = /etc/krb5.keytab
>>> disable spoolss = Yes
>>> kerberos method = secrets and keytab
>>> load printers = No
>>> printcap name = /dev/null
>>> realm = SAD.DOMAIN.COM
>>> security = ADS
>>> username map = /etc/samba/user.map
>>> utmp = Yes
>>> winbind cache time = 20
>>> winbind enum groups = Yes
>>> winbind enum users = Yes
>>> winbind refresh tickets = Yes
>>> winbind use default domain = Yes
>>> workgroup = SAD
>>> idmap config sad:unix_primary_group = yes
>>> idmap config sad:unix_nss_info = yes
>>> idmap config sad:range = 500-4000000
>>> idmap config sad:schema_mode = rfc2307
>>> idmap config sad:backend = ad
>>> idmap config * : range = 5000000-9000000
>>> idmap config * : backend = tdb
>>> map acl inherit = Yes
>>> printing = bsd
>>> vfs objects = acl_xattr
>>>
>>>
>>> [intra]
>>> create mask = 0665
>>> directory mask = 02775
>>> path = /tftpboot/intra
>>> read only = No
>>>
>>>
>> Is there some reason you started your uidNumber & gidNumber attributes at
>> 500 ?
>
> Yes, our users' uidNumber range starts from a little over 500. This is
> baggage from the 1990's. I don't think Redhat's "start at 1000" was even
> thought of back then.
>
>> The 'new and improved way' is to make use of this:
>>
>> vfs objects = acl_xattr
>
> This doesn't say much to me (reading the man-page of smb.conf). Does it mean
> to store ACL's in the extra attributes in the underlying filesystem?
>
>> You set the permissions from Windows, try reading this:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If I don't have a Windows computer, can I use setfacl or chmod?
>
> Can I just stop using ACL's and go back to the old way of reading the
> permissions from the unix permissions? User's don't know how to, don't have
> the interest to, or don't want to do this themselves. Nor do I want to manage
> the ACL's at all, most certainly not through a GUI (on Windows).
>
> I have to test 'inherit permissions (S)' as well.
>
> What I want is for new files in the directory to have the same (unix) group
> ownership as the directory has. And that they have write permission for that
> unix-group.
This does what I want
[intra]
create mask = 0665
directory mask = 02775
inherit permissions = Yes
nt acl support = No
path = /tftpboot/intra
read only = No
--
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
More information about the samba
mailing list