Thomas Schulz
2015-Apr-21 18:34 UTC
[Samba] Samba 4.2.0: Group write permission not honored
>>>> Hello Thomas >>>> >>>> Am 06.04.2015 um 17:22 schrieb Thomas Schulz: >>>>> For anyone considering using Samba 4.2.0, be aware that there is a >>>>> problem with group write permission not being honored. >>>>> >>>>> This is seen on both Linux and Solaris. We have a setup where we have >>>>> project directory trees where the files are owned by various users but >>>>> also by a group that the various users are a member of. The group >>>>> permissions are set to allow group write access. With Samba 4.1.* and >>>>> earlier everyone in the group can create files in these directories. >>>>> With Samba 4.2.0, we get an 'Access is denied' error. >>>> >>>> Is there already a bug report about that? If not, please open one, to=20 >>>> get this fixed. Thanks. >>>> >>>> https://www.samba.org/~asn/reporting_samba_bugs.txt >>>> >>>> >>>> Regards, >>>> Marc >>> >>> I opened Bug 11192. I realized just a moment ago that I had forgotten >>> to include that information. >> >> Do you have additional information like. >> >> - smb.conf >> - where do the unix users/groups come from (ldap, AD (winbind/ssd) , >> local/nis Database) >> >> I have a bug >> >> https://bugzilla.samba.org/show_bug.cgi?id=11082 >> >> open and I am wondering, if it could be related > > The unix users/groups come from nis. I am not running winbindd except > occasionally as a test to see if it makes a difference. I set the group > permissions using the unix command 'chmod g+w'. On many of the directories > there is an acl set to force the default group permission to include > write. > > The smb.conf is as follows: > > # Global parameters > [global] > workgroup = ADI > realm = adi.com > security = ADS > client NTLMv2 auth = No > name resolve order = bcast host > client signing = if_required > client ldap sasl wrapping = plain > winbind sealed pipes = No > require strong key = No > idmap config * : backend = tdb > dos filemode = Yes > msdfs root = Yes > > [zacltest2] > comment = Acl test > path = /home/users/schulz/tmp > read only = No > inherit permissions = Yes > > > For a directory with an ACL, the ACL looks like this: > > # file: acltest2 > # owner: atest > # group: atest > user::rwx > group::rwx #effective:rwx > mask:rwx > other:r-x > default:user::rwx > default:group::rwx > default:mask:rwx > default:other:r-xMy report is somewhat incorrect. The problem with not honoring group write permissions only occurs if winbindd is running. I never ran winbindd with Samba 4.1.*. I started running it because of the problems reported in Bug 11098. As reported there, it is possible to run Samba 4.2.* without running winbindd if I use security=ads. If I do not run winbindd then the group write permissions are honored. I just tried Samba 4.1.17 and it has the same problem with using group write permissions if winbindd is running. So this is not a regression, at least not one against 4.1.*. Tom Schulz Applied Dynamics Intl. schulz at adi.com