Recently some folks in our engineering group started encountering a
problem where they can't write to or alter files or folders they did not
create.
Anyone know what could be causing this type of problem? The users having
the problem are all in the eng group is /etc/groups. smb.conf for that
share:
smb.conf:
#smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2005-04-04
[global]
workgroup = WORKGROUP
netbios name = int-samba
server string = int-samba Fileserver
username map = /etc/samba/smbusers
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
domain logons = No
domain master = Yes
security = user
idmap gid = 10000-20000
idmap uid = 10000-20000
wins support = yes
remote browse sync = 10.17.100.11
passdb backend = smbpasswd
preferred master = yes
local master = yes
os level = 255
socket options = IPTOS_LOWDELAY TCP_NODELAY
log level = 1
interfaces = 192.168.1.2/24
kernel oplocks = yes
## Share disabled by YaST
[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
inherit acls = Yes
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group = rw permissions, set next parameter to 0775.
# create mask = 0775
#
# Directory creation mask is set to 0700 for security reasons. If you
want to
# create dirs. with group=rw permissions, set next parameter to 0775.
# directory mask = 0700
# directory mode = 0700
## Share disabled by YaST
# [profiles]
# comment = Network Profiles Service
# path = %H
# read only = No
# store dos attributes = Yes
# create mask = 0600
# directory mask = 0700
## Share disabled by YaST
# [users]
# comment = All users
# path = /home
# read only = No
# inherit acls = Yes
# veto files = /aquota.user/groups/shares/
# comment = Users share (from Miles)
# inherit acls = Yes
# path = /data/IT/engineering/Users
# read only = No
# valid users = @it @eng
# force group = eng
# create mask = 0664
# directory mask = 0775
# ## recycle bin config ##
# vfs objects = recycle
# recycle:repository = .Recycler
# recycle:keeptree = Yes
# recycle:versions = Yes
## Share disabled by YaST
# [groups]
# comment = All groups
# path = /home/groups
# read only = No
# inherit acls = Yes
## Share disabled by YaST
# [printers]
# comment = All Printers
# path = /var/tmp
# printable = Yes
# create mask = 0600
# browseable = No
## Share disabled by YaST
# [print$]
# comment = Printer Drivers
# path = /var/lib/samba/drivers
# write list = @ntadmin root
# force group = ntadmin
# create mask = 0664
# directory mask = 0775
[nobackup]
comment = nobackup
inherit acls = Yes
path = /data/nobackup
read only = No
valid users = mainshare @it @webdev
create mask = 0664
directory mask = 0775
[it]
comment = IT
inherit acls = Yes
path = /data/IT/IT-share
read only = No
valid users = @it
force group = it
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[htdocs]
comment = Intranet Web Area
inherit acls = Yes
path = /data/IT/htdocs
read only = No
valid users = @it @webdev
force user = wwwrun
force group = mycompany
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[svn]
comment = Subversion repositories
inherit acls = Yes
path = /data/IT/svn/
read only = Yes
valid users = @it
force group = mycompany
create mask = 0664
directory mask = 0775
[mysql]
comment = Mysql databases
inherit acls = Yes
path = /data/IT/mysql
read only = Yes
valid users = @it
force user = mysql
force group = mysql
create mask = 0660
directory mask = 0775
[backups]
comment = MySQL Database backups
inherit acls = Yes
path = /data/IT/backups
read only = No
valid users = @it
force group = it
create mask = 0664
directory mask = 0775
[eng-parent]
comment = Parent of all engineering shares
inherit acls = Yes
path = /data/IT/engineering/
read only = No
valid users = @it
force group = eng
create mask = 0664
directory mask = 0775
[engweb]
comment = Engineering share
inherit acls = Yes
path = /data/IT/engineering/engweb
read only = No
valid users = @it @eng
force group = eng
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[devtools]
comment = Engineering Development Tools (from Miles)
inherit acls = Yes
path = /data/IT/engineering/DevTools
read only = No
valid users = @it @eng
force group = eng
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[engdownloads]
comment = Engineering Downloads
inherit acls = Yes
path = /data/IT/engineering/Downloads
read only = No
valid users = @it @eng
force group = eng
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[engineering]
comment = Engineering share (from Miles)
inherit acls = Yes
path = /data/IT/engineering/Engineering
read only = No
valid users = @it @eng
force group = eng
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[pcom]
comment = PCOM share (from Miles)
inherit acls = Yes
path = /data/IT/engineering/PCOM
read only = No
valid users = @it @eng
force group = eng
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[users]
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[mainshare]
comment = mainshare
inherit acls = Yes
path = /data/mainshare
read only = No
valid users = mainshare @it @eng @mycompany @webdev
force user = mainshare
force group = mycompany
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[Legacy_Data]
comment = Legacy Access DB
inherit acls = Yes
path = /data/mainshare/Manufacturing/Legacy
inherit acls = Yes
read only = No
valid users = mainshare @it @eng @mycompany @webdev
force group = mycompany
create mask = 0664
directory mask = 0775
[Media]
comment = mainshare
inherit acls = Yes
path = /data/media
read only = No
valid users = mainshare @it @eng @mycompany @webdev
force user = mainshare
force group = mycompany
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[Retrospect]
comment = mainshare
inherit acls = Yes
path = /media/disk/retrospect
read only = No
valid users = @it @eng @mycompany @webdev
force group = mycompany
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
[Doc_IN]
comment = MFG, Eng Doc deposit
inherit acls = Yes
path = /data/docdeposit
read only = No
valid users = mainshare @it @eng @mycompany @webdev
force user = docdepositor
force group = mycompany
create mask = 0664
directory mask = 0775
## recycle bin config ##
vfs objects = recycle
recycle:repository = .Recycler
recycle:keeptree = Yes
recycle:versions = Yes
On Wed, Jun 17, 2009 at 04:15:26PM -0700, JJB wrote:> Recently some folks in our engineering group started encountering a > problem where they can't write to or alter files or folders they did not > create. > > Anyone know what could be causing this type of problem? The users having > the problem are all in the eng group is /etc/groups. smb.conf for that > share:What version of Samba ? Best thing is to log a bug containing a level 20 log file of the permission denied problem. Jeremy.
Dale Schroeder wrote:> I don't know if you've solved this or not, but have you checked the > acl's with getfacl. (I noticed all the "inherit acl" statements.) > I once had this problem, and it was caused by the creation of default > acl's that overrode all other permissions. Since I did not create > them on the Samba server, it had to have happened by someone adjusting > permissions through the Windows clients. After removing > the default acl, all returned to normal. > > This may not be your problem, but it's worth checking. > > DaleHi Dale, Most likely you are correct. I've never used the acl commands before, we didn't know they existed, we've been attacking the problem from a linux permissions standpoint. getfacl returns for the parent folder # file: data/engineering/beta/Builds # owner: hankj # group: eng user::rwx group::rwx other::r-x and for the folder in question: # file: Mac # owner: jimd # group: eng user::rwx group::rwx other::r-x How do I delete these acls with the setfacl command? trying to figure out syntax, but not getting anywhere. - Joel
Possibly Parallel Threads
- Problem with Centos 5.3 + Samba 3.0.33 +AD (2k3)
- Fwd: Upgraded samba, mostly still works, but have one issue
- Upgraded samba, mostly still works, but have one issue
- Cannot change directory permissions
- Domain Logout, then domain login again, profile corrupt -> replaced by TEMP profile