samba - Jan 2017 - Directory Permissions on Directory

Hi Rowland here is it:

[global]
       netbios name = ID-175
       security = ADS
       workgroup = HQKONTRAST
       realm = HQ.KONTRAST

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes
       winbind cache time = 300
	winbind refresh tickets = yes

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 500-1023

       # idmap config for domain HQKONTRAST
       idmap config HQKONTRAST:backend = ad
       idmap config HQKONTRAST:schema_mode = rfc2307
       idmap config HQKONTRAST:range = 1024-99999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307

[IT-Security]
   path = /data/security
   browseable = yes
   writeable = yes
   force group = it_security
   valid users = @it_security
   create mask = 0660
   directory mask = 0770
   #oplocks = 0
   vfs objects = full_audit recycle
   full_audit:prefix = %u
   full_audit:success = mkdir rename rmdir unlink pwrite
   full_audit:failure = none
   full_audit:facility = LOCAL5
   full_audit:priority = NOTICE
   recycle:versions = yes
   recycle:exclude = .*, ~*


Thanks :)
OLIVER WERNER
System-Administrator

Hi Rowland,

you can confirm your idea of this problem?
OLIVER WERNER
System-Administrator



> Am 09.01.2017 um 17:52 schrieb Oliver Werner via samba <samba at
lists.samba.org>:
> 
> Hi Rowland here is it:
> 
> [global]
>       netbios name = ID-175
>       security = ADS
>       workgroup = HQKONTRAST
>       realm = HQ.KONTRAST
> 
>       dedicated keytab file = /etc/krb5.keytab
>       kerberos method = secrets and keytab
> 
>       winbind trusted domains only = no
>       winbind use default domain = yes
>       winbind enum users  = yes
>       winbind enum groups = yes
>       winbind cache time = 300
> 	winbind refresh tickets = yes
> 
>       # Default idmap config used for BUILTIN and local accounts/groups
>       idmap config *:backend = tdb
>       idmap config *:range = 500-1023
> 
>       # idmap config for domain HQKONTRAST
>       idmap config HQKONTRAST:backend = ad
>       idmap config HQKONTRAST:schema_mode = rfc2307
>       idmap config HQKONTRAST:range = 1024-99999
> 
>       # Use settings from AD for login shell and home directory
>       winbind nss info = rfc2307
> 
> [IT-Security]
>   path = /data/security
>   browseable = yes
>   writeable = yes
>   force group = it_security
>   valid users = @it_security
>   create mask = 0660
>   directory mask = 0770
>   #oplocks = 0
>   vfs objects = full_audit recycle
>   full_audit:prefix = %u
>   full_audit:success = mkdir rename rmdir unlink pwrite
>   full_audit:failure = none
>   full_audit:facility = LOCAL5
>   full_audit:priority = NOTICE
>   recycle:versions = yes
>   recycle:exclude = .*, ~*
> 
> 
> Thanks :)
> OLIVER WERNER
> System-Administrator
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 10 Jan 2017 15:51:43 +0100
Oliver Werner <oliver.werner at kontrast.de> wrote:
>  Hi Rowland,
> 
> you can confirm your idea of this problem?
To be honest, no ;-)

I thought that because 'it_secuirity' had the GID '1396' , there
was
possibility that it was a local Unix group and windows couldn't
actually see it, but this doesn't seem to be the case.

You could try adding these lines to smb.conf:

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland