Hello I have a Debian 8 with samba (Version 4.2.10-Debian) that serves as Fileserver. My smb.conf [global] workgroup = XXXXX realm = GRUPO.XXXXX.COM.BR security = ADS idmap config * : backend = rid idmap config * : range = 100000-999999 client schannel = no allow trusted domains = yes winbind use default domain = yes winbind refresh tickets = Yes winbind offline logon = no winbind cache time = 360 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%U map to guest = bad user guest account = guest guest ok = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes I have sharing: [QUALIDADELEITE] path = /home/QUALIDADELEITE browseable = yes writeable = yes printable = no create mask = 0770 force directory mode = 0770 force create mode = 0770 force group = +qualidadeleite valid users = @qualidadeleite getfacl /home/QUALIDADELEITE # file: home/QUALIDADELEITE # owner: root # group: qualidadeleite user::rwx group::rwx other::--- default:user::rwx default:group::r-x default:group:qualidadeleite:rwx default:mask::rwx default:other::r-x My doubts inside have an ok.txt file Getfacl ok.txt # File: ok.txt # Owner: root # Group: root User :: rwx Group :: r-x #effective: --- Group: qualidadeleite: rwx #effective: --- Mask :: --- Other :: --- The problem in this way a user of the qualidadeleite group can not do anything in the file, even though they have permissions via ACL, this only happens on shares. Direct on the file System the ACL permission is functional. Access to this directory occurs both direct (ssh) and via shares. Do you know what it can be? Regards
Hai Carlos, I suggest start here : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File Which says.. # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 And you want RID, https://wiki.samba.org/index.php/Idmap_config_rid So fix you smb.conf, restart samba. Run : net cache flush Test id username And try again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Carlos A. P. Cunha via samba > Verzonden: dinsdag 27 juni 2017 16:26 > Aan: samba at lists.samba.org > Onderwerp: [Samba] ACL SHARE > > Hello > I have a Debian 8 with samba (Version 4.2.10-Debian) that > serves as Fileserver. > > My smb.conf > > [global] > workgroup = XXXXX > realm = GRUPO.XXXXX.COM.BR > > security = ADS > idmap config * : backend = rid > idmap config * : range = 100000-999999 > > client schannel = no > allow trusted domains = yes > winbind use default domain = yes > winbind refresh tickets = Yes > winbind offline logon = no > winbind cache time = 360 > > winbind enum users = yes > winbind enum groups = yes > > template shell = /bin/bash > template homedir = /home/%U > > > map to guest = bad user > guest account = guest > guest ok = yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > I have sharing: > > [QUALIDADELEITE] > path = /home/QUALIDADELEITE > browseable = yes > writeable = yes > printable = no > create mask = 0770 > force directory mode = 0770 > force create mode = 0770 > force group = +qualidadeleite > valid users = @qualidadeleite > > > getfacl /home/QUALIDADELEITE > # file: home/QUALIDADELEITE > # owner: root > # group: qualidadeleite > user::rwx > group::rwx > other::--- > default:user::rwx > default:group::r-x > default:group:qualidadeleite:rwx > default:mask::rwx > default:other::r-x > > My doubts inside have an ok.txt file > > Getfacl ok.txt > # File: ok.txt > # Owner: root > # Group: root > User :: rwx > Group :: r-x #effective: --- > Group: qualidadeleite: rwx #effective: --- Mask :: --- Other :: --- > > The problem in this way a user of the qualidadeleite group > can not do anything in the file, even though they have > permissions via ACL, this only happens on shares. > Direct on the file System the ACL permission is functional. > > Access to this directory occurs both direct (ssh) and via shares. > > Do you know what it can be? > > > Regards > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 27 Jun 2017 16:32:22 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Carlos, > > I suggest start here : > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File > > Which says.. > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > And you want RID, > https://wiki.samba.org/index.php/Idmap_config_rid > > > So fix you smb.conf, restart samba. > Run : net cache flush > > Test id username > And try again. > > Greetz, > > Louis > >What Louis said, plus, You really need to upgrade Samba, You can get later packages from here: http://apt.van-belle.nl/ Rowland
correct is not much different, but you need a "correct" config. now your config is simpley wrong. ( sorry ) This proves it. one question.. idmap config * : backend = rid idmap config * : range = 100000-999999 can you write you "rid" to the samba AD.. No. # - must use an read-write-enabled back end, such as tdb. you need also : # idmap config for the SAMDOM domain idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 but do remember ... For every domain, set these parameters individually. The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. Greetz, Louis Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] Verzonden: dinsdag 27 juni 2017 17:07 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] ACL SHARE Hello Thank you for your attention. My conf is not much different from the documentation, and what's different "I believe" is not my problem. As I mentioned the problem only occurs with access via sharing .... Regards Em 27-06-2017 11:32, L.P.H. van Belle via samba escreveu: Hai Carlos, I suggest start here : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File Which says.. # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 And you want RID, https://wiki.samba.org/index.php/Idmap_config_rid So fix you smb.conf, restart samba. Run : net cache flush Test id username And try again. Greetz, Louis -----Oorspronkelijk bericht----- Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. Cunha via samba Verzonden: dinsdag 27 juni 2017 16:26 Aan: samba at lists.samba.org Onderwerp: [Samba] ACL SHARE Hello I have a Debian 8 with samba (Version 4.2.10-Debian) that serves as Fileserver. My smb.conf [global] workgroup = XXXXX realm = GRUPO.XXXXX.COM.BR security = ADS idmap config * : backend = rid idmap config * : range = 100000-999999 client schannel = no allow trusted domains = yes winbind use default domain = yes winbind refresh tickets = Yes winbind offline logon = no winbind cache time = 360 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%U map to guest = bad user guest account = guest guest ok = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes I have sharing: [QUALIDADELEITE] path = /home/QUALIDADELEITE browseable = yes writeable = yes printable = no create mask = 0770 force directory mode = 0770 force create mode = 0770 force group = +qualidadeleite valid users = @qualidadeleite getfacl /home/QUALIDADELEITE # file: home/QUALIDADELEITE # owner: root # group: qualidadeleite user::rwx group::rwx other::--- default:user::rwx default:group::r-x default:group:qualidadeleite:rwx default:mask::rwx default:other::r-x My doubts inside have an ok.txt file Getfacl ok.txt # File: ok.txt # Owner: root # Group: root User :: rwx Group :: r-x #effective: --- Group: qualidadeleite: rwx #effective: --- Mask :: --- Other :: --- The problem in this way a user of the qualidadeleite group can not do anything in the file, even though they have permissions via ACL, this only happens on shares. Direct on the file System the ACL permission is functional. Access to this directory occurs both direct (ssh) and via shares. Do you know what it can be? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba