Walker, Jason M (JSC-CD42)[Leidos Innovations Corporation]
2018-Feb-13 19:24 UTC
[Samba] Samba 4.6.4 and Excel 2016 access denied if no Group mode permission
I am encountering a problem after upgrading Samba 3.x to Samba 4.6.4 on AIX. When trying to update a file in Excel 2016 from Windows 10 clients, Excel gives an error trying to save the file with an Access Denied message. I first thought it was a locking option and tried many variations of those, but what I have found is that if the file's access mode is 700 (User:RWX, Group:none, Everyone:none), the user cannot save the file; however if the file mode is changed to 740 (User:RWS, Group:R, Everyone:non) the user may edit/overwrite the file. I do not have an issue editing and saving files with Notepad or Notepad++, so this may be a problem in Excel's odd behavior of creating a new file and overwriting the original. But I'm not sure how the Group mode bits affects the behavior and whether there is anything I can do to work around the problem. We very much want to avoid granting any Group mode permissions as we have thousands of users with a shared default group. We are using ADS mode as a Member Server, and restricting to NTLMv2 and SMB2 protocols. Excerpt from the configuration file: security = ADS workgroup = MYDOMAIN realm = mydomain.gov lanman auth = no ntlm auth = no client lanman auth = no client ntlmv2 auth = yes client min protocol = SMB2 client schannel = auto client signing = auto client use spnego = yes server schannel = auto server signing = auto wins support = no disable netbios = yes restrict anonymous = yes server min protocol = SMB2 acl allow execute always = yes nt acl support = yes inherit acls = yes map acl inherit = yes map archive = yes map hidden = no map read only = yes map system = no store dos attributes = yes inherit permissions = yes dos filemode = yes unix extensions = no [homes] comment = Home Directories path = /home/PATH/PATH/%U browseable = no writeable = yes create mask = 0700 # If we change create mask to 0740, new files get a Group:Read permission and Excel 2016 can update the files #create mask = 0740
Rowland Penny
2018-Feb-13 20:06 UTC
[Samba] Samba 4.6.4 and Excel 2016 access denied if no Group mode permission
On Tue, 13 Feb 2018 19:24:49 +0000 "Walker, Jason M \(JSC-CD42\)\[Leidos Innovations Corporation\] via samba" <samba at lists.samba.org> wrote:> I am encountering a problem after upgrading Samba 3.x to Samba 4.6.4 > on AIX. When trying to update a file in Excel 2016 from Windows 10 > clients, Excel gives an error trying to save the file with an Access > Denied message. I first thought it was a locking option and tried > many variations of those, but what I have found is that if the file's > access mode is 700 (User:RWX, Group:none, Everyone:none), the user > cannot save the file; however if the file mode is changed to 740 > (User:RWS, Group:R, Everyone:non) the user may edit/overwrite the > file. > > I do not have an issue editing and saving files with Notepad or > Notepad++, so this may be a problem in Excel's odd behavior of > creating a new file and overwriting the original. But I'm not sure > how the Group mode bits affects the behavior and whether there is > anything I can do to work around the problem. We very much want to > avoid granting any Group mode permissions as we have thousands of > users with a shared default group. > > We are using ADS mode as a Member Server, and restricting to NTLMv2 > and SMB2 protocols. Excerpt from the configuration file: > > security = ADS > workgroup = MYDOMAIN > realm = mydomain.gov > lanman auth = no > ntlm auth = no > client lanman auth = no > client ntlmv2 auth = yes > client min protocol = SMB2 > client schannel = auto > client signing = auto > client use spnego = yes > server schannel = auto > server signing = auto > wins support = no > disable netbios = yes > restrict anonymous = yes > server min protocol = SMB2 > acl allow execute always = yes > nt acl support = yes > inherit acls = yes > map acl inherit = yes > map archive = yes > map hidden = no > map read only = yes > map system = no > store dos attributes = yes > inherit permissions = yes > dos filemode = yes > unix extensions = noWhat are you actually using for authentication ? If it is winbind, you need to set it up correctly, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland