Gentlemen, I am struggling to solve this problem. My file server Samba 4.4.5. Even the administrator user (domain admin) could not write to the share. Could someone give me a hint, in order to solve this problem? shared folder: /mnt/data Folder permissions: # getfacl /mnt/data/teste/ getfacl: Removing leading '/' from absolute path names # file: mnt/data/teste/ # owner: ricardo # group: domain\040admins user::rwx user:domain\040admins:rwx user:ricardo:rwx group::rwx mask::rwx other::r-x default:user::rwx default:user:domain\040admins:rwx default:user:ricardo:rwx default:group::rwx default:group:domain\040admins:rwx default:group:ti-infra:rwx default:mask::rwx default:other::r-x The smb.conf the fileserver: [data] comment = Folder data path = /mnt/data read only = no browseable = yes # map acl inherit = yes store dos attributes = yes # inherit acls = Yes inherit permissions = Yes guest account = guest guest ok=yes writeable = Yes # Recycle vfs objects = acl_xattr, recycle, shadow_copy2, full_audit #vfs objects = recycle, shadow_copy2 recycle:facility = LOCAL1 recycle:priority = NOTICE recycle:maxsize = 0 recycle:directory_mode = 0774 recycle:subdir_mode = 0774 recycle:keeptree = true recycle:touch = true recycle:versions = true recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.exe, *.bin recycle:exclude_dir = tmp, temp, cache create mask = 0774 directory mask = 0774 # SHADOW COPY / SNAPSHOT shadow:mountpoint = /mnt/data/ shadow:snapdir = .snapshot shadow:basedir = /mnt/ shadow:sort = desc shadow:localtime = yes shadow:format = @GMT-%Y.%m.%d-%H.%M.%S # AUDIT FILESERVER full_audit:prefix = %u|%I|%S|%g full_audit:success = all full_audit:failure = all !open full_audit:facility = local1 full_audit:priority = ALERT
On Mon, 24 Oct 2016 14:00:21 +0000 (UTC) Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:> Gentlemen, > > I am struggling to solve this problem. > My file server Samba 4.4.5. > Even the administrator user (domain admin) could not write to the > share. Could someone give me a hint, in order to solve this problem? > > shared folder: /mnt/data > > Folder permissions: > > # getfacl /mnt/data/teste/ > getfacl: Removing leading '/' from absolute path names > # file: mnt/data/teste/ > # owner: ricardo > # group: domain\040admins > user::rwx > user:domain\040admins:rwx > user:ricardo:rwx > group::rwx > mask::rwx > other::r-x > default:user::rwx > default:user:domain\040admins:rwx > default:user:ricardo:rwx > default:group::rwx > default:group:domain\040admins:rwx > default:group:ti-infra:rwx > default:mask::rwx > default:other::r-x > > > > The smb.conf the fileserver: > > > [data] > comment = Folder data > path = /mnt/data > read only = no > browseable = yes > # > map acl inherit = yes > store dos attributes = yes > # > inherit acls = Yes > inherit permissions = Yes > guest account = guest > guest ok=yes > writeable = Yes > # Recycle > vfs objects = acl_xattr, recycle, shadow_copy2, full_audit > #vfs objects = recycle, shadow_copy2 > recycle:facility = LOCAL1 > recycle:priority = NOTICE > recycle:maxsize = 0 > recycle:directory_mode = 0774 > recycle:subdir_mode = 0774 > recycle:keeptree = true > recycle:touch = true > recycle:versions = true > recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.exe, *.bin > recycle:exclude_dir = tmp, temp, cache > create mask = 0774 > directory mask = 0774 > # SHADOW COPY / SNAPSHOT > shadow:mountpoint = /mnt/data/ > shadow:snapdir = .snapshot > shadow:basedir = /mnt/ > shadow:sort = desc > shadow:localtime = yes > shadow:format = @GMT-%Y.%m.%d-%H.%M.%S > # AUDIT FILESERVER > full_audit:prefix = %u|%I|%S|%g > full_audit:success = all > full_audit:failure = all !open > full_audit:facility = local1 > full_audit:priority = ALERT >Hi, can we see the rest of your smb.conf ? Rowland
Dear Rowland, Follow my smb.conf The smb.conf the fileserver: # Global parameters [global] netbios name = SRV16 server string = Samba4 Server security = ADS encrypt passwords = yes realm = domain.local workgroup = DOMAIN server services = smb log file = /var/log/samba/samba.log log level = 9 # winbind enum users = yes winbind enum groups = yes winbind use default domain = Yes winbind nss info = RFC2307 #idmap_ldb: Use vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Idmap config for domain DOMAIN #idmap config DOMAIN: backend = ad idmap config DOMAIN: backend = rid #idmap config DOMAIN: schema_mode = RFC2307 idmap config DOMAIN: range = 10000-99999 idmap config * : backend = tdb idmap config * : range = 2000-9999 [data] comment = Folder data path = /mnt/data read only = no browseable = yes # map acl inherit = yes store dos attributes = yes # inherit acls = Yes inherit permissions = Yes guest account = guest guest ok=yes writeable = Yes # Recycle vfs objects = acl_xattr, recycle, shadow_copy2, full_audit #vfs objects = recycle, shadow_copy2 recycle:facility = LOCAL1 recycle:priority = NOTICE recycle:maxsize = 0 recycle:directory_mode = 0774 recycle:subdir_mode = 0774 recycle:keeptree = true recycle:touch = true recycle:versions = true recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.exe, *.bin recycle:exclude_dir = tmp, temp, cache create mask = 0774 directory mask = 0774 # SHADOW COPY / SNAPSHOT shadow:mountpoint = /mnt/data/ shadow:snapdir = .snapshot shadow:basedir = /mnt/ shadow:sort = desc shadow:localtime = yes shadow:format = @GMT-%Y.%m.%d-%H.%M.%S # AUDIT FILESERVER full_audit:prefix = %u|%I|%S|%g full_audit:success = all full_audit:failure = all !open full_audit:facility = local1 full_audit:priority = ALERT
On Mon, 24 Oct 2016 15:42:43 +0000 (UTC) Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:> Dear Rowland, > Follow my smb.conf > > The smb.conf the fileserver: > >Can I suggest you try this smb.conf: # Global parameters [global] workgroup = DOMAIN security = ADS realm = domain.local netbios name = SRV16 server string = Samba4 Server winbind enum users = yes winbind enum groups = yes winbind use default domain = Yes winbind nss info = RFC2307 idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config DOMAIN: backend = rid idmap config DOMAIN: range = 10000-99999 log file = /var/log/samba/samba.log log level = 9 vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes guest account = guest [data] comment = Folder data path = /mnt/data read only = no browseable = yes guest ok=yes vfs objects = acl_xattr, recycle, shadow_copy2, full_audit #inherit acls = Yes # NOTE: using acl_xattr turns this on inherit permissions = Yes # NOTE: this overides the next two lines create mask = 0774 directory mask = 0774 # Recycle recycle:facility = LOCAL1 recycle:priority = NOTICE recycle:maxsize = 0 recycle:directory_mode = 0774 recycle:subdir_mode = 0774 recycle:keeptree = true recycle:touch = true recycle:versions = true recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.exe, *.bin recycle:exclude_dir = tmp, temp, cache # SHADOW COPY / SNAPSHOT shadow:mountpoint = /mnt/data/ shadow:snapdir = .snapshot shadow:basedir = /mnt/ shadow:sort = desc shadow:localtime = yes shadow:format = @GMT-%Y.%m.%d-%H.%M.%S # AUDIT FILESERVER full_audit:prefix = %u|%I|%S|%g full_audit:success = all full_audit:failure = all !open full_audit:facility = local1 full_audit:priority = ALERT Can I also suggest you read these two Samba wiki pages: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs Decide which of the two ways you want to use and then set the share up that way. Rowland
Dear Rowland, I changed smb.conf as its tip. I had already read about the ACL's Windows and Posix. Even changing the smb.conf and using the ACL methods, I still do not write access to the folder. Example: # mkdir /mnt/data/teste1 # ls -all /mnt/data/teste1 total 12 drwxrws---+ 2 administrator domain admins 6 Out 25 10:05 . drwxrwxr-x+ 10 root domain admins 4096 Out 25 10:05 .. # chmod 2770 /mnt/data/teste1 # chown administrator:"Domain Admins" /mnt/data/teste1 Logged in as administrator / domain admin, still I get access denied error when I try to create a file in this folder.