Hello list members,
my name is Stefan, this is my first post to this Mailinglist, so please
bear with me. ;)
I am working as a Network Administrator of a small Office Network. We
use Debian Server as Samba PDC and Fileserver.
The Domain runs pretty well with all the Windows 7 Clients. I have just
one thing that bugs me.
In the groupshare we set up, users can only access folders that are
world readable, for some reason. As a temporary fix I put all users into
the Domain Admin group, so they can at least use the groupshare.
But first of all you probably want to know the details. The Samba
Version is 3.5.6
This is my smb.conf:
-----------------------------------------------------------------
[global]
netbios name = SCM-SRV-01
server string = Domain Server (%h)
workgroup = SCM
interfaces = eth1 eth2 eth3
bind interfaces only = yes
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
local master = yes
preferred master = yes
os level = 200
domain master = yes
domain logons = yes
logon path = \\%L\%U\profile
logon drive = h:
logon script = login.bat
profile acls = yes
hide files =
/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/
hide dot files = yes
wins support = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
socket options = TCP_NODELAY
#======================= Share Definitions ======================
[homes]
comment = Home Directories
browseable = no
valid users = %S
writeable = yes
create mode = 0600
directory mode = 0700
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writeable = no
share modes = no
[groups]
writable = yes
path = /home/groups
force group = users
comment = All group folders
create mode = 660
directory mode = 770
-----------------------------------------------------------------------
Output of net groupmap list:
Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users
Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests
Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) -> domainadmin
-----------------------------------------------------------------------
Like I said everyting works well, except the permissions in the share
[groups].
All linux (and therefore domain) users are in the primary group users.
All the employees are in the group 'mitarbeiter'.
So if I set /home/groups to
drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/
the share is not accessible. Eventhough alle users are in the group
users and should therefore be able to read that folder.
If I put users into the domainadmin group, group permissions work as
expected. All employees can access subfolders of groups which are
readable to mitarbeiter (but not others they have no permissions for)
and can also read the content of /home/groups. So the mapping of unix
groups from Windows7 works without problems.
Folder permission in Samba can only be realized if I make folders world
readable, which is not what I want for all folders.
After extensive internet research I could not figure out what I am doing
wrong. I also had similar samba setups where unix group permissions
always where correctly used in samba.
I suspect it being a problem with domain groups and there mapping. I
also tried to create some samba Domain Groups and map them to the local
unix groups, which didn't make a difference either.
So I hope anybody on this list knows what the problem is. I am happy to
give more information as needed!
Thanks,
Stefan Horning
Check your extended ACL permissions and verify that they are enabled for your kernel.. On 01/03/2012 09:05 AM, Stefan Horning wrote:> Hello list members, > my name is Stefan, this is my first post to this Mailinglist, so please > bear with me. ;) > I am working as a Network Administrator of a small Office Network. We > use Debian Server as Samba PDC and Fileserver. > The Domain runs pretty well with all the Windows 7 Clients. I have just > one thing that bugs me. > In the groupshare we set up, users can only access folders that are > world readable, for some reason. As a temporary fix I put all users into > the Domain Admin group, so they can at least use the groupshare. > > But first of all you probably want to know the details. The Samba > Version is 3.5.6 > > This is my smb.conf: > ----------------------------------------------------------------- > [global] > netbios name = SCM-SRV-01 > server string = Domain Server (%h) > workgroup = SCM > interfaces = eth1 eth2 eth3 > bind interfaces only = yes > security = user > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > local master = yes > preferred master = yes > os level = 200 > domain master = yes > domain logons = yes > logon path = \\%L\%U\profile > logon drive = h: > logon script = login.bat > profile acls = yes > hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/ > hide dot files = yes > wins support = no > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > socket options = TCP_NODELAY > > #======================= Share Definitions ======================> > [homes] > comment = Home Directories > browseable = no > valid users = %S > writeable = yes > create mode = 0600 > directory mode = 0700 > > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > guest ok = yes > writeable = no > share modes = no > > [groups] > writable = yes > path = /home/groups > force group = users > comment = All group folders > create mode = 660 > directory mode = 770 > ----------------------------------------------------------------------- > > Output of net groupmap list: > > Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users > Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests > Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) -> > domainadmin > ----------------------------------------------------------------------- > > Like I said everyting works well, except the permissions in the share > [groups]. > > All linux (and therefore domain) users are in the primary group users. > All the employees are in the group 'mitarbeiter'. > > So if I set /home/groups to > drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/ > the share is not accessible. Eventhough alle users are in the group > users and should therefore be able to read that folder. > If I put users into the domainadmin group, group permissions work as > expected. All employees can access subfolders of groups which are > readable to mitarbeiter (but not others they have no permissions for) > and can also read the content of /home/groups. So the mapping of unix > groups from Windows7 works without problems. > > Folder permission in Samba can only be realized if I make folders world > readable, which is not what I want for all folders. > > After extensive internet research I could not figure out what I am doing > wrong. I also had similar samba setups where unix group permissions > always where correctly used in samba. > > I suspect it being a problem with domain groups and there mapping. I > also tried to create some samba Domain Groups and map them to the local > unix groups, which didn't make a difference either. > > So I hope anybody on this list knows what the problem is. I am happy to > give more information as needed! > > > Thanks, > Stefan Horning > >
the try this,
[groups]
writable = yes
path = /home/groups
force group = users
comment = All group folders
create mode = 660
directory mode = 770
vfs object = acl_xattr
>-----Oorspronkelijk bericht-----
>Van: stefan at hornings.de [mailto:samba-bounces at lists.samba.org]
>Namens Stefan Horning
>Verzonden: 2012-01-03 15:06
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba Folder Permissions
>
>Hello list members,
>my name is Stefan, this is my first post to this Mailinglist,
>so please
>bear with me. ;)
>I am working as a Network Administrator of a small Office Network. We
>use Debian Server as Samba PDC and Fileserver.
>The Domain runs pretty well with all the Windows 7 Clients. I
>have just
>one thing that bugs me.
>In the groupshare we set up, users can only access folders that are
>world readable, for some reason. As a temporary fix I put all
>users into
>the Domain Admin group, so they can at least use the groupshare.
>
>But first of all you probably want to know the details. The Samba
>Version is 3.5.6
>
>This is my smb.conf:
>-----------------------------------------------------------------
>[global]
> netbios name = SCM-SRV-01
> server string = Domain Server (%h)
> workgroup = SCM
> interfaces = eth1 eth2 eth3
> bind interfaces only = yes
> security = user
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>*Retype\snew\sUNIX\spassword:* %n\n .
> local master = yes
> preferred master = yes
> os level = 200
> domain master = yes
> domain logons = yes
> logon path = \\%L\%U\profile
> logon drive = h:
> logon script = login.bat
> profile acls = yes
> hide files =
>/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/
> hide dot files = yes
> wins support = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> socket options = TCP_NODELAY
>
>#======================= Share Definitions ======================>
>[homes]
> comment = Home Directories
> browseable = no
> valid users = %S
> writeable = yes
> create mode = 0600
> directory mode = 0700
>
>[netlogon]
> comment = Network Logon Service
> path = /home/samba/netlogon
> guest ok = yes
> writeable = no
> share modes = no
>
>[groups]
> writable = yes
> path = /home/groups
> force group = users
> comment = All group folders
> create mode = 660
> directory mode = 770
>-----------------------------------------------------------------------
>
>Output of net groupmap list:
>
>Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) -> users
>Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) -> guests
>Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512)
>-> domainadmin
>-----------------------------------------------------------------------
>
>Like I said everyting works well, except the permissions in the share
>[groups].
>
>All linux (and therefore domain) users are in the primary group users.
>All the employees are in the group 'mitarbeiter'.
>
>So if I set /home/groups to
>drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/
>the share is not accessible. Eventhough alle users are in the group
>users and should therefore be able to read that folder.
>If I put users into the domainadmin group, group permissions work as
>expected. All employees can access subfolders of groups which are
>readable to mitarbeiter (but not others they have no permissions for)
>and can also read the content of /home/groups. So the mapping of unix
>groups from Windows7 works without problems.
>
>Folder permission in Samba can only be realized if I make
>folders world
>readable, which is not what I want for all folders.
>
>After extensive internet research I could not figure out what
>I am doing
>wrong. I also had similar samba setups where unix group permissions
>always where correctly used in samba.
>
>I suspect it being a problem with domain groups and there mapping. I
>also tried to create some samba Domain Groups and map them to
>the local
>unix groups, which didn't make a difference either.
>
>So I hope anybody on this list knows what the problem is. I am
>happy to
>give more information as needed!
>
>
>Thanks,
>Stefan Horning
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>