Thomas Galliker
2020-Dec-12 16:51 UTC
[Samba] Permission issue with home directory and groups with deny access
Hello, ? I have a somewaht strange permission issue on my samba fileserver(4.9.5) joined to a samba ad server(4.12.7). ? I normally create shares and add for every share follwing basic groups. Later I asign the user/roles to this groups as needed. ?- share_sharename_d: This is the deny group, and denyes access to everything on this shares ?- share_sharename_r: The read group ?- share_sharename_rw: The read write group ?- share_sharename_rwx: The full access group Today I created a new share(\\srv-vir-009\schueler) for some user home directories. I created it as it is described on the samba wiki(https://wiki.samba.org/index.php/Windows_User_Home_Folders#In_an_Active_Directory[https://deref-gmx.net/mail/client/3JMcm6wD8FU/dereferrer/?redirectUrl=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FWindows_User_Home_Folders%23In_an_Active_Directory]) using Windows ACL. The only diffrence is that I additionaly added my usual groups(share_schueler_d, share_schueler_r, share_schuler_rw, share_schueler_rwx). Then I used "Active Directory Users and Computers" to create the home directories. The home directories where created and showed up on the share. But the user(on Windows 10) could not access the share an got a Permission denied message. After experimenting a bit I found that the problem seems to be the "share_schueler_d"(Deny everything on the share) group. The group is empty an has no members/mebership assigned. - When this group(share_schueler_d) is present on the share and I create the user home directory trough "Active Directory Users and Computers". Users will not be able to access their home directory. - If I remove the group(share_schueler_d) and use "Active Directory Users and Computers" to create the home share, everything works fine. This ist the output of geffacl. The first directory(t.galliker7) was created without the deny group(share_schueler_d) added on the share and the second(t.galliker8) with the deny group. There seems to be missing the access rights for t.galliker root at srv-vir-009:/srv/files/user/schueler# getfacl t.galliker7 # file: t.galliker7 # owner: administrator # group: domain\040users user::rwx user:10512:rwx user:t.galliker:rwx user:11223:r-x user:11224:rwx user:11225:rwx group::--- group:BUILTIN\\administrators:rwx group:administrator:rwx group:domain\040admins:rwx group:domain\040users:--- group:t.galliker:rwx group:share_schueler_r:r-x group:share_schueler_rw:rwx group:share_schueler_rwx:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:user:10512:rwx default:user:t.galliker:rwx default:user:11223:r-x default:user:11224:rwx default:user:11225:rwx default:group::--- default:group:BUILTIN\\administrators:rwx default:group:domain\040admins:rwx default:group:domain\040users:--- default:group:t.galliker:rwx default:group:share_schueler_r:r-x default:group:share_schueler_rw:rwx default:group:share_schueler_rwx:rwx default:mask::rwx default:other::--- root at srv-vir-009:/srv/files/user/schueler# getfacl t.galliker8 # file: t.galliker8 # owner: administrator # group: domain\040users user::rwx user:10512:rwx user:11222:--- user:11223:r-x user:11224:rwx user:11225:rwx group::--- group:administrator:rwx group:domain\040admins:rwx group:domain\040users:--- group:share_schueler_d:--- group:share_schueler_r:r-x group:share_schueler_rw:rwx group:share_schueler_rwx:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:user:10512:rwx default:user:11222:--- default:user:11223:r-x default:user:11224:rwx default:user:11225:rwx default:group::--- default:group:domain\040admins:rwx default:group:domain\040users:--- default:group:share_schueler_d:--- default:group:share_schueler_r:r-x default:group:share_schueler_rw:rwx default:group:share_schueler_rwx:rwx default:mask::rwx default:other::--- It's not really a big issue. But it seems to me like a bug. Regards and thanks for your greate work, Thomas
Rowland penny
2020-Dec-12 17:06 UTC
[Samba] Permission issue with home directory and groups with deny access
On 12/12/2020 16:51, Thomas Galliker via samba wrote:> Hello, > > I have a somewaht strange permission issue on my samba fileserver(4.9.5) joined to a samba ad server(4.12.7). > > > root at srv-vir-009:/srv/files/user/schueler# getfacl t.galliker7 > # file: t.galliker7 > # owner: administrator > # group: domain\040users > user::rwx > user:10512:rwx > user:t.galliker:rwx > user:11223:r-x > user:11224:rwx > user:11225:rwxWhy are your users being shown as numbers and not names ? Please post the smb.conf files from the DC and Unix domain member. Rowland