jan-philipp.snizek at business.uzh.ch
2016-Sep-22 12:36 UTC
[Samba] Antwort: Re: permissions of new files and directories
> Von: Rowland Penny via samba <samba at lists.samba.org> > An: samba at lists.samba.org > Datum: 22.09.2016 13:18 > Betreff: Re: [Samba] permissions of new files and directories > Gesendet von: "samba" <samba-bounces at lists.samba.org> > > On Thu, 22 Sep 2016 11:53:36 +0200 > Philipp Snizek via samba <samba at lists.samba.org> wrote: > > > > > > > Hello > > > > I'm running Samba 4.3.9 on Ubuntu 14 as domain member. Both Windows > > DCs are Win 2012 R2 in 2008 R2 mode. > > > > This is the smb.conf: > > > > [global] > > workgroup = MYDOM > > server string = Fileserver > > netbios name = myhostname > > winbind separator = + > > security = ADS > > admin users = %D+administrator, %D+backupmaster > > realm = MYDOM.WHEREVER > > kerberos method = secrets and keytab > > winbind enum users = yes > > winbind enum groups = yes > > winbind nss info = template > > winbind use default domain = no > > winbind refresh tickets = true > > winbind nested groups = yes > > idmap config *:backend = rid > > idmap config *:range = 100000-100000000 > > idmap config *:base_rid = 0 > > template shell = /usr/bin/nologin > > template homedir = /home/%D/users/%U > > obey pam restrictions = yes > > allow trusted domains = no > > client use spnego = yes > > client signing = auto > > preferred master = no > > load printers = no > > unix charset = UTF8 > > log file = /var/log/samba/log.%m > > log level = 3 > > max log size = 50000 > > server max protocol = SMB3 > > map untrusted to domain = yes > > log writeable files on exit = yes > > > > This is one of the many team share configs. They are all like this. > > > > [Team_XXX] > > comment = Team XXX > > path = "/home/teams1/team_xxx" > > browseable = yes > > write list = "@%D+team xxx" > > admin users = @%D+domänen-admins > > valid users = @%D+domänen-admins, "@%D+team xxx" > > public = no > > force group = "%D+team xxx" > > directory mask = 0770 > > create mask = 0660 > > > > When I as member of %D+team xxx create a new directory in this share, > > the permissions of the new directory become 750 instead of 770. New > > created files do get 660. > > I have tried force directory mode = 0770 to no effect. I've also tried > > inherit permissions = yes. New created files then get 660 and > > directories get 750 instead of 770. > > > > Thanks for helping out. > > > > Best regards, > > Philipp > > > > Can I suggest you change your smb.conf to this: > > [global] > netbios name = myhostname > security = ADS > workgroup = MYDOM > realm = MYDOM.WHEREVER > server string = Fileserver > > log file = /var/log/samba/log.%m > log level = 3 > max log size = 50000 > > winbind separator = + > kerberos method = secrets and keytab > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = true > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > idmap config MYDOM:backend = rid > idmap config MYDOM:range = 100000-100000000 > > template shell = /usr/bin/nologin > template homedir = /home/%D/users/%U > obey pam restrictions = yes > allow trusted domains = no > preferred master = no > load printers = no > map untrusted to domain = yes > log writeable files on exit = yes > > [Team_XXX] > comment = Team XXX > path = /home/teams1/team_xxx > browseable = yes > read only = no > > > Then read and follow this: > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLsI've tried to run with POSIX ACLs to set permissions/ownerships on the share directory only, "/home/teams1/team_xxx" in this example. This directory would get 0770 and with inherit permissions or directory mask and create mask = my hopes were to achieve the correct permissions. Would that work with your suggestions? Following the link you've sent me I have the impression that I am leaving my concept. I don't want anyone to use Windows' Security tab, not even us admins. Thank you Philipp
Rowland Penny
2016-Sep-22 13:01 UTC
[Samba] Antwort: Re: permissions of new files and directories
On Thu, 22 Sep 2016 14:36:34 +0200 Philipp Snizek via samba <samba at lists.samba.org> wrote:> > > Von: Rowland Penny via samba <samba at lists.samba.org> > > An: samba at lists.samba.org > > Datum: 22.09.2016 13:18 > > Betreff: Re: [Samba] permissions of new files and directories > > Gesendet von: "samba" <samba-bounces at lists.samba.org> > > > > On Thu, 22 Sep 2016 11:53:36 +0200 > > Philipp Snizek via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > Hello > > > > > > I'm running Samba 4.3.9 on Ubuntu 14 as domain member. Both > > > Windows DCs are Win 2012 R2 in 2008 R2 mode. > > > > > > This is the smb.conf: > > > > > > [global] > > > workgroup = MYDOM > > > server string = Fileserver > > > netbios name = myhostname > > > winbind separator = + > > > security = ADS > > > admin users = %D+administrator, %D+backupmaster > > > realm = MYDOM.WHEREVER > > > kerberos method = secrets and keytab > > > winbind enum users = yes > > > winbind enum groups = yes > > > winbind nss info = template > > > winbind use default domain = no > > > winbind refresh tickets = true > > > winbind nested groups = yes > > > idmap config *:backend = rid > > > idmap config *:range = 100000-100000000 > > > idmap config *:base_rid = 0 > > > template shell = /usr/bin/nologin > > > template homedir = /home/%D/users/%U > > > obey pam restrictions = yes > > > allow trusted domains = no > > > client use spnego = yes > > > client signing = auto > > > preferred master = no > > > load printers = no > > > unix charset = UTF8 > > > log file = /var/log/samba/log.%m > > > log level = 3 > > > max log size = 50000 > > > server max protocol = SMB3 > > > map untrusted to domain = yes > > > log writeable files on exit = yes > > > > > > This is one of the many team share configs. They are all like > > > this. > > > > > > [Team_XXX] > > > comment = Team XXX > > > path = "/home/teams1/team_xxx" > > > browseable = yes > > > write list = "@%D+team xxx" > > > admin users = @%D+domänen-admins > > > valid users = @%D+domänen-admins, "@%D+team xxx" > > > public = no > > > force group = "%D+team xxx" > > > directory mask = 0770 > > > create mask = 0660 > > > > > > When I as member of %D+team xxx create a new directory in this > > > share, the permissions of the new directory become 750 instead of > > > 770. New created files do get 660. > > > I have tried force directory mode = 0770 to no effect. I've also > > > tried inherit permissions = yes. New created files then get 660 > > > and directories get 750 instead of 770. > > > > > > Thanks for helping out. > > > > > > Best regards, > > > Philipp > > > > > > > Can I suggest you change your smb.conf to this: > > > > [global] > > netbios name = myhostname > > security = ADS > > workgroup = MYDOM > > realm = MYDOM.WHEREVER > > server string = Fileserver > > > > log file = /var/log/samba/log.%m > > log level = 3 > > max log size = 50000 > > > > winbind separator = + > > kerberos method = secrets and keytab > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = true > > > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > > > idmap config MYDOM:backend = rid > > idmap config MYDOM:range = 100000-100000000 > > > > template shell = /usr/bin/nologin > > template homedir = /home/%D/users/%U > > obey pam restrictions = yes > > allow trusted domains = no > > preferred master = no > > load printers = no > > map untrusted to domain = yes > > log writeable files on exit = yes > > > > [Team_XXX] > > comment = Team XXX > > path = /home/teams1/team_xxx > > browseable = yes > > read only = no > > > > > > Then read and follow this: > > > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > I've tried to run with POSIX ACLs to set permissions/ownerships on the > share directory only, "/home/teams1/team_xxx" in this example. This > directory would get 0770 and with inherit permissions or directory > mask = and create mask = my hopes were to achieve the correct > permissions. Would that work with your suggestions? Following the > link you've sent me I have the impression that I am leaving my > concept. I don't want anyone to use Windows' Security tab, not even > us admins. > > Thank you > Philipp > >If you must use posix ACLs, see here: https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs Rowland
jan-philipp.snizek at business.uzh.ch
2016-Sep-23 07:30 UTC
[Samba] Antwort: Re: Antwort: Re: permissions of new files and directories
> Von: Rowland Penny via samba <samba at lists.samba.org> > An: samba at lists.samba.org > Datum: 22.09.2016 15:14 > Betreff: Re: [Samba] Antwort: Re: permissions of new files anddirectories> Gesendet von: "samba" <samba-bounces at lists.samba.org> > > On Thu, 22 Sep 2016 14:36:34 +0200 > Philipp Snizek via samba <samba at lists.samba.org> wrote: > > > > > > Von: Rowland Penny via samba <samba at lists.samba.org> > > > An: samba at lists.samba.org > > > Datum: 22.09.2016 13:18 > > > Betreff: Re: [Samba] permissions of new files and directories > > > Gesendet von: "samba" <samba-bounces at lists.samba.org> > > > > > > On Thu, 22 Sep 2016 11:53:36 +0200 > > > Philipp Snizek via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > Hello > > > > > > > > I'm running Samba 4.3.9 on Ubuntu 14 as domain member. Both > > > > Windows DCs are Win 2012 R2 in 2008 R2 mode. > > > > > > > > This is the smb.conf: > > > > > > > > [global] > > > > workgroup = MYDOM > > > > server string = Fileserver > > > > netbios name = myhostname > > > > winbind separator = + > > > > security = ADS > > > > admin users = %D+administrator, %D+backupmaster > > > > realm = MYDOM.WHEREVER > > > > kerberos method = secrets and keytab > > > > winbind enum users = yes > > > > winbind enum groups = yes > > > > winbind nss info = template > > > > winbind use default domain = no > > > > winbind refresh tickets = true > > > > winbind nested groups = yes > > > > idmap config *:backend = rid > > > > idmap config *:range = 100000-100000000 > > > > idmap config *:base_rid = 0 > > > > template shell = /usr/bin/nologin > > > > template homedir = /home/%D/users/%U > > > > obey pam restrictions = yes > > > > allow trusted domains = no > > > > client use spnego = yes > > > > client signing = auto > > > > preferred master = no > > > > load printers = no > > > > unix charset = UTF8 > > > > log file = /var/log/samba/log.%m > > > > log level = 3 > > > > max log size = 50000 > > > > server max protocol = SMB3 > > > > map untrusted to domain = yes > > > > log writeable files on exit = yes > > > > > > > > This is one of the many team share configs. They are all like > > > > this. > > > > > > > > [Team_XXX] > > > > comment = Team XXX > > > > path = "/home/teams1/team_xxx" > > > > browseable = yes > > > > write list = "@%D+team xxx" > > > > admin users = @%D+domänen-admins > > > > valid users = @%D+domänen-admins, "@%D+team xxx" > > > > public = no > > > > force group = "%D+team xxx" > > > > directory mask = 0770 > > > > create mask = 0660 > > > > > > > > When I as member of %D+team xxx create a new directory in this > > > > share, the permissions of the new directory become 750 instead of > > > > 770. New created files do get 660. > > > > I have tried force directory mode = 0770 to no effect. I've also > > > > tried inherit permissions = yes. New created files then get 660 > > > > and directories get 750 instead of 770. > > > > > > > > Thanks for helping out. > > > > > > > > Best regards, > > > > Philipp > > > > > > > > > > Can I suggest you change your smb.conf to this: > > > > > > [global] > > > netbios name = myhostname > > > security = ADS > > > workgroup = MYDOM > > > realm = MYDOM.WHEREVER > > > server string = Fileserver > > > > > > log file = /var/log/samba/log.%m > > > log level = 3 > > > max log size = 50000 > > > > > > winbind separator = + > > > kerberos method = secrets and keytab > > > winbind enum users = yes > > > winbind enum groups = yes > > > winbind refresh tickets = true > > > > > > idmap config *:backend = tdb > > > idmap config *:range = 2000-9999 > > > > > > idmap config MYDOM:backend = rid > > > idmap config MYDOM:range = 100000-100000000 > > > > > > template shell = /usr/bin/nologin > > > template homedir = /home/%D/users/%U > > > obey pam restrictions = yes > > > allow trusted domains = no > > > preferred master = no > > > load printers = no > > > map untrusted to domain = yes > > > log writeable files on exit = yes > > > > > > [Team_XXX] > > > comment = Team XXX > > > path = /home/teams1/team_xxx > > > browseable = yes > > > read only = no > > > > > > > > > Then read and follow this: > > > > > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > > > I've tried to run with POSIX ACLs to set permissions/ownerships on the > > share directory only, "/home/teams1/team_xxx" in this example. This > > directory would get 0770 and with inherit permissions or directory > > mask = and create mask = my hopes were to achieve the correct > > permissions. Would that work with your suggestions? Following the > > link you've sent me I have the impression that I am leaving my > > concept. I don't want anyone to use Windows' Security tab, not even > > us admins. > > > > Thank you > > Philipp > > > > > > If you must use posix ACLs, see here: > > https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs >Yes, this is what I want. The global section I configured according to your suggestions, thank you for spotting all those needless default settings. My "testing" share now looks like this: [team_informatik] comment = Team Informatik path = /home/teams/team_informatik browseable = no valid users = +%D+"team informatik" public = no chmod 2770 /home/teams/team_informatik smbcontrol all reload-config When I on my Win 10, 1511, client create a new folder in this share the new folder's permissions are rwxr-s---. After adding force directory mode = 0770 to this section and reloading the config a newly created folder still gets rwxr-s--- permissions. Members of the same group cannot delete this folder. If I understand the bitwise OR-ing correctly this parameter should definitely override the permissions to 0770. What am I missing? Philipp
Apparently Analagous Threads
- Antwort: Re: Antwort: Re: permissions of new files and directories
- Antwort: Re: permissions of new files and directories
- permissions of new files and directories
- permissions of new files and directories
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users