Recently some folks in our engineering group started encountering a problem where they can't write to or alter files or folders they did not create. Anyone know what could be causing this type of problem? The users having the problem are all in the eng group is /etc/groups. smb.conf for that share: smb.conf: #smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2005-04-04 [global] workgroup = WORKGROUP netbios name = int-samba server string = int-samba Fileserver username map = /etc/samba/smbusers map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ domain logons = No domain master = Yes security = user idmap gid = 10000-20000 idmap uid = 10000-20000 wins support = yes remote browse sync = 10.17.100.11 passdb backend = smbpasswd preferred master = yes local master = yes os level = 255 socket options = IPTOS_LOWDELAY TCP_NODELAY log level = 1 interfaces = 192.168.1.2/24 kernel oplocks = yes ## Share disabled by YaST [homes] comment = Home Directories valid users = %S browseable = No read only = No inherit acls = Yes vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group = rw permissions, set next parameter to 0775. # create mask = 0775 # # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. # directory mask = 0700 # directory mode = 0700 ## Share disabled by YaST # [profiles] # comment = Network Profiles Service # path = %H # read only = No # store dos attributes = Yes # create mask = 0600 # directory mask = 0700 ## Share disabled by YaST # [users] # comment = All users # path = /home # read only = No # inherit acls = Yes # veto files = /aquota.user/groups/shares/ # comment = Users share (from Miles) # inherit acls = Yes # path = /data/IT/engineering/Users # read only = No # valid users = @it @eng # force group = eng # create mask = 0664 # directory mask = 0775 # ## recycle bin config ## # vfs objects = recycle # recycle:repository = .Recycler # recycle:keeptree = Yes # recycle:versions = Yes ## Share disabled by YaST # [groups] # comment = All groups # path = /home/groups # read only = No # inherit acls = Yes ## Share disabled by YaST # [printers] # comment = All Printers # path = /var/tmp # printable = Yes # create mask = 0600 # browseable = No ## Share disabled by YaST # [print$] # comment = Printer Drivers # path = /var/lib/samba/drivers # write list = @ntadmin root # force group = ntadmin # create mask = 0664 # directory mask = 0775 [nobackup] comment = nobackup inherit acls = Yes path = /data/nobackup read only = No valid users = mainshare @it @webdev create mask = 0664 directory mask = 0775 [it] comment = IT inherit acls = Yes path = /data/IT/IT-share read only = No valid users = @it force group = it create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [htdocs] comment = Intranet Web Area inherit acls = Yes path = /data/IT/htdocs read only = No valid users = @it @webdev force user = wwwrun force group = mycompany create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [svn] comment = Subversion repositories inherit acls = Yes path = /data/IT/svn/ read only = Yes valid users = @it force group = mycompany create mask = 0664 directory mask = 0775 [mysql] comment = Mysql databases inherit acls = Yes path = /data/IT/mysql read only = Yes valid users = @it force user = mysql force group = mysql create mask = 0660 directory mask = 0775 [backups] comment = MySQL Database backups inherit acls = Yes path = /data/IT/backups read only = No valid users = @it force group = it create mask = 0664 directory mask = 0775 [eng-parent] comment = Parent of all engineering shares inherit acls = Yes path = /data/IT/engineering/ read only = No valid users = @it force group = eng create mask = 0664 directory mask = 0775 [engweb] comment = Engineering share inherit acls = Yes path = /data/IT/engineering/engweb read only = No valid users = @it @eng force group = eng create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [devtools] comment = Engineering Development Tools (from Miles) inherit acls = Yes path = /data/IT/engineering/DevTools read only = No valid users = @it @eng force group = eng create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [engdownloads] comment = Engineering Downloads inherit acls = Yes path = /data/IT/engineering/Downloads read only = No valid users = @it @eng force group = eng create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [engineering] comment = Engineering share (from Miles) inherit acls = Yes path = /data/IT/engineering/Engineering read only = No valid users = @it @eng force group = eng create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [pcom] comment = PCOM share (from Miles) inherit acls = Yes path = /data/IT/engineering/PCOM read only = No valid users = @it @eng force group = eng create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [users] ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [mainshare] comment = mainshare inherit acls = Yes path = /data/mainshare read only = No valid users = mainshare @it @eng @mycompany @webdev force user = mainshare force group = mycompany create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [Legacy_Data] comment = Legacy Access DB inherit acls = Yes path = /data/mainshare/Manufacturing/Legacy inherit acls = Yes read only = No valid users = mainshare @it @eng @mycompany @webdev force group = mycompany create mask = 0664 directory mask = 0775 [Media] comment = mainshare inherit acls = Yes path = /data/media read only = No valid users = mainshare @it @eng @mycompany @webdev force user = mainshare force group = mycompany create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [Retrospect] comment = mainshare inherit acls = Yes path = /media/disk/retrospect read only = No valid users = @it @eng @mycompany @webdev force group = mycompany create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes [Doc_IN] comment = MFG, Eng Doc deposit inherit acls = Yes path = /data/docdeposit read only = No valid users = mainshare @it @eng @mycompany @webdev force user = docdepositor force group = mycompany create mask = 0664 directory mask = 0775 ## recycle bin config ## vfs objects = recycle recycle:repository = .Recycler recycle:keeptree = Yes recycle:versions = Yes
On Wed, Jun 17, 2009 at 04:15:26PM -0700, JJB wrote:> Recently some folks in our engineering group started encountering a > problem where they can't write to or alter files or folders they did not > create. > > Anyone know what could be causing this type of problem? The users having > the problem are all in the eng group is /etc/groups. smb.conf for that > share:What version of Samba ? Best thing is to log a bug containing a level 20 log file of the permission denied problem. Jeremy.
Dale Schroeder wrote:> I don't know if you've solved this or not, but have you checked the > acl's with getfacl. (I noticed all the "inherit acl" statements.) > I once had this problem, and it was caused by the creation of default > acl's that overrode all other permissions. Since I did not create > them on the Samba server, it had to have happened by someone adjusting > permissions through the Windows clients. After removing > the default acl, all returned to normal. > > This may not be your problem, but it's worth checking. > > DaleHi Dale, Most likely you are correct. I've never used the acl commands before, we didn't know they existed, we've been attacking the problem from a linux permissions standpoint. getfacl returns for the parent folder # file: data/engineering/beta/Builds # owner: hankj # group: eng user::rwx group::rwx other::r-x and for the folder in question: # file: Mac # owner: jimd # group: eng user::rwx group::rwx other::r-x How do I delete these acls with the setfacl command? trying to figure out syntax, but not getting anywhere. - Joel
Reasonably Related Threads
- Problem with Centos 5.3 + Samba 3.0.33 +AD (2k3)
- Fwd: Upgraded samba, mostly still works, but have one issue
- Upgraded samba, mostly still works, but have one issue
- Cannot change directory permissions
- Domain Logout, then domain login again, profile corrupt -> replaced by TEMP profile