good afternoon everyone, I have a problem that I can not solve I have installed a samba 4.9.0 in centos 7.5 using XFS. In the DPTO share I have the departmental folders, which I gave the rights to the groups. The problem: when a user creates a file within some sub-folders the group's rights do not arrive in the file is read-only. When the user accesses a website and downloads the file directly to the share, nobody in the group can access that file and when I go through windows and right click and access the security tab it closes. I need some help to understand how to use acl and give rights correctly. follows smb.conf # Global parameters [global] netbios name = SAMBA realm = NOIR.CORP server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = NOIR ldap server require strong auth = no idmap_ldb:use rfc2307 = yes vfs objects = recycle acl_xattr map acl inherit = Yes store dos attributes = Yes recycle:keeptree = yes recycle:versions = yes recycle:repository = /dados/trash/%U recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso recycle:exclude_dir = tmp, cache [netlogon] path = /opt/samba/var/locks/sysvol/noir.corp/scripts read only = No [sysvol] path = /opt/samba/var/locks/sysvol read only = No [dpto] path = /dados/dpto read only = No hide unreadable = yes hide unwriteable files = yes #Bloqueio de extensoes de midia no samba # veto files = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe #nao tentar fazer um lock nesses arquivos veto oplock files = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/
On Tue, 30 Oct 2018 14:51:32 -0300 (BRT) "Gabriel O. Franca via samba" <samba at lists.samba.org> wrote:> > > good afternoon everyone, > > > I have a problem that I can not solve I have installed a samba 4.9.0 > in centos 7.5 using XFS. > > > In the DPTO share I have the departmental folders, which I gave the > rights to the groups. > > > The problem: > > > when a user creates a file within some sub-folders the group's rights > do not arrive in the file is read-only. > > > When the user accesses a website and downloads the file directly to > the share, nobody in the group can access that file and when I go > through windows and right click and access the security tab it > closes. > > > I need some help to understand how to use acl and give rights > correctly. > > > follows smb.conf > > > # Global parameters > [global] > netbios name = SAMBA > realm = NOIR.CORP > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = NOIR > ldap server require strong auth = no > idmap_ldb:use rfc2307 = yes > vfs objects = recycle acl_xattrRemove 'acl_xattr' it is builtin on a DC> map acl inherit = Yes > store dos attributes = YesSame goes for the above two lines.> recycle:keeptree = yes > recycle:versions = yes > recycle:repository = /dados/trash/%U > recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso > recycle:exclude_dir = tmp, cache > > [dpto] > path = /dados/dpto > read only = No > hide unreadable = yes > hide unwriteable files = yes > #Bloqueio de extensoes de midia no samba > # veto files > = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe #nao tentar > fazer um lock nesses arquivos veto oplock files > = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/Your main problem is that you are using a DC as a fileserver and are trying to set up as if it is a fileserver, this doesn't work. You need to use Windows ACL's, for more info, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Hi Rowland, Thanks for explanation! I will change the night and test with the client tomorrow morning. As soon as I test I come and report whether it worked or not. Regards, Gabriel Franca ----- Mensagem original ----- De: "Rowland Penny via samba" <samba at lists.samba.org> Para: samba at lists.samba.org Enviadas: Terça-feira, 30 de Outubro de 2018 15:21:37 Assunto: Re: [Samba] Problem with rights in samba 4.9.0 On Tue, 30 Oct 2018 14:51:32 -0300 (BRT) "Gabriel O. Franca via samba" <samba at lists.samba.org> wrote:> > > good afternoon everyone, > > > I have a problem that I can not solve I have installed a samba 4.9.0 > in centos 7.5 using XFS. > > > In the DPTO share I have the departmental folders, which I gave the > rights to the groups. > > > The problem: > > > when a user creates a file within some sub-folders the group's rights > do not arrive in the file is read-only. > > > When the user accesses a website and downloads the file directly to > the share, nobody in the group can access that file and when I go > through windows and right click and access the security tab it > closes. > > > I need some help to understand how to use acl and give rights > correctly. > > > follows smb.conf > > > # Global parameters > [global] > netbios name = SAMBA > realm = NOIR.CORP > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = NOIR > ldap server require strong auth = no > idmap_ldb:use rfc2307 = yes > vfs objects = recycle acl_xattrRemove 'acl_xattr' it is builtin on a DC> map acl inherit = Yes > store dos attributes = YesSame goes for the above two lines.> recycle:keeptree = yes > recycle:versions = yes > recycle:repository = /dados/trash/%U > recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso > recycle:exclude_dir = tmp, cache > > [dpto] > path = /dados/dpto > read only = No > hide unreadable = yes > hide unwriteable files = yes > #Bloqueio de extensoes de midia no samba > # veto files > = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe #nao tentar > fazer um lock nesses arquivos veto oplock files > = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/Your main problem is that you are using a DC as a fileserver and are trying to set up as if it is a fileserver, this doesn't work. You need to use Windows ACL's, for more info, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi Rowland, Follow the tutorial and re-create all the rights in the folder. Now the problem is this: When one of the users creates a folder the rights are duplicated. Rights in root folder: Allow | grp-laboratory | Full Control | None | this folder, subfolders and files Allow | CREATE OWNER | Full control | None | Subfolders and files only Allow | CREATE GROUP | None | None | Subfolders and files only Allow | Administrator | Full control | None | This folder, subfolders and files Rights when a user creates a folder within the root share: Allow | iris.oliveira (iri ..) | Full control | None | This folder, subfolders and files Allow | grp-laboratory | Read & execute | None | this folder only Allow | Administrator | Read & execute | None | This folder only Allow | CREATE OWNER | Full control | None | Subfolders and files only Allow | grp-laboratory | Full Control | None | subfolders and files only Allow | Administrator | Full control | None | This folder, subfolders and files Allow | CREATE GROUP | None | None | Subfolders and files only Allow | Administrator | Full control | None | This folder, subfolders and files Allow | Domain Uses | None | None | This folder, subfolders and files Allow | Everyone | None | None | This folder, subfolders and files net rpc rights list privileges SeDiskOperatorPrivilege -U "GENESIS \ administrator" Enter GENESIS \ administrator's password: SeDiskOperatorPrivilege: BUILTIN \ Administrators GENESIS \ Domain Admins Is there any command to clear all the rights and force it to catch the new ones? I did everything that the tutorial asks and I still have problems, can you help me with this? Regards, Gabriel Franca ----- Mensagem original ----- De: "Rowland Penny via samba" <samba at lists.samba.org> Para: samba at lists.samba.org Enviadas: Terça-feira, 30 de Outubro de 2018 15:21:37 Assunto: Re: [Samba] Problem with rights in samba 4.9.0 On Tue, 30 Oct 2018 14:51:32 -0300 (BRT) "Gabriel O. Franca via samba" <samba at lists.samba.org> wrote:> > > good afternoon everyone, > > > I have a problem that I can not solve I have installed a samba 4.9.0 > in centos 7.5 using XFS. > > > In the DPTO share I have the departmental folders, which I gave the > rights to the groups. > > > The problem: > > > when a user creates a file within some sub-folders the group's rights > do not arrive in the file is read-only. > > > When the user accesses a website and downloads the file directly to > the share, nobody in the group can access that file and when I go > through windows and right click and access the security tab it > closes. > > > I need some help to understand how to use acl and give rights > correctly. > > > follows smb.conf > > > # Global parameters > [global] > netbios name = SAMBA > realm = NOIR.CORP > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = NOIR > ldap server require strong auth = no > idmap_ldb:use rfc2307 = yes > vfs objects = recycle acl_xattrRemove 'acl_xattr' it is builtin on a DC> map acl inherit = Yes > store dos attributes = YesSame goes for the above two lines.> recycle:keeptree = yes > recycle:versions = yes > recycle:repository = /dados/trash/%U > recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso > recycle:exclude_dir = tmp, cache > > [dpto] > path = /dados/dpto > read only = No > hide unreadable = yes > hide unwriteable files = yes > #Bloqueio de extensoes de midia no samba > # veto files > = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe #nao tentar > fazer um lock nesses arquivos veto oplock files > = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/Your main problem is that you are using a DC as a fileserver and are trying to set up as if it is a fileserver, this doesn't work. You need to use Windows ACL's, for more info, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba