Peter Varkoly
2019-May-08 13:13 UTC
[Samba] samba does not honor set group bit on directories
Hi, I'm using samba 4.6.15 and 4.8.9 as AD server on a lot of openLeap 42.3 server. The server have numerous group directories in /home/groups. This drirectory will be provided by a share: [groups] comment = Shared directories of groups you are member in. path = /home/groups inherit permissions = Yes inherit acls = Yes browseable = Yes guest ok = No printable = No read only = No On the group directories the set group ID bit is set: # file: home/groups/WBFRH1.1 # owner: root # group: <DOMAIN>\134wbfrh1.1 # flags: -s- user::rwx group::rwx group:<DOMAIN>\134wbfrh1.1:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:<DOMAIN>\134wbfrh1.1:rwx default:mask::rwx default:other::--- Creating a file in /home/groups/WBFRH1.1 on the server the group is as expected WBFRH1.1. Creating a file via smbclient or from Windows client the group of the file is the primary group of the user. Why is the behavior different? How can I force that samba honors the linux settings? Thanks Peter Varkoly
Rowland Penny
2019-May-08 13:27 UTC
[Samba] samba does not honor set group bit on directories
On Wed, 8 May 2019 15:13:02 +0200 Peter Varkoly via samba <samba at lists.samba.org> wrote:> Hi, > > I'm using samba 4.6.15 and 4.8.9 as AD server on a lot of openLeap > 42.3 server. > > The server have numerous group directories in /home/groups. This > drirectory will be provided by a share: > > [groups] > comment = Shared directories of groups you are member in. > path = /home/groups > inherit permissions = Yes > inherit acls = Yes > browseable = Yes > guest ok = No > printable = No > read only = No > > On the group directories the set group ID bit is set: > > # file: home/groups/WBFRH1.1 > # owner: root > # group: <DOMAIN>\134wbfrh1.1 > # flags: -s- > user::rwx > group::rwx > group:<DOMAIN>\134wbfrh1.1:rwx > mask::rwx > other::--- > default:user::rwx > default:group::rwx > default:group:<DOMAIN>\134wbfrh1.1:rwx > default:mask::rwx > default:other::--- > > Creating a file in /home/groups/WBFRH1.1 on the server the group is > as expected WBFRH1.1. > > Creating a file via smbclient or from Windows client the group of the > file is the primary group of the user. > > Why is the behavior different? > > How can I force that samba honors the linux settings?Might help if you post the '[global]' part of your smb.conf Rowland
Rowland Penny
2019-May-08 15:05 UTC
[Samba] samba does not honor set group bit on directories
On Wed, 8 May 2019 16:16:58 +0200 Peter Varkoly <peter at varkoly.de> wrote:> Hi, > > [global] > netbios name = admin > realm = <LONG-DOMAIN>I do hope that '<LONG-DOMAIN>' is the dns domain in uppercase> workgroup = <DOMAIN> > dns forwarder = 8.8.8.8 > server role = active directory domain controller > idmap_ldb:use rfc2307 = Yes > check password script = > /usr/share/oss/tools/check_password_complexity.shAre you aware that password complexity is in AD ?> winbind enum users = Yes > winbind enum groups = YesYou should remove the two lines above, there are not needed and only slow things down> wide links = Yes > unix extensions = No > template shell = /bin/bash > ntlm auth = yesYou like living dangerously, still using NTLMv1> > bind interfaces only = yes > interfaces = 127.0.0.1, 172.16.0.2 > comment = "CRANIX DC" > ldap server require strong auth = no >Are you using a self compiled version of Samba ? or are you using a Samba package that uses the MIT kdc ? If the latter, you should be aware that using MIT is still regarded as experimental and shouldn't be used in production. Finally, you are using a DC as a fileserver, this is not recommended, but if you do, you can only set the permissions on the share from Windows. This means that your shares can only look like this: [groups] comment = Shared directories of groups you are member in. path = /home/groups read only = No You also need to read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Peter Varkoly
2019-May-08 18:02 UTC
[Samba] samba does not honor set group bit on directories
Thanks a lot! Am 08.05.19 um 17:05 schrieb Rowland Penny via samba:> On Wed, 8 May 2019 16:16:58 +0200 > Peter Varkoly <peter at varkoly.de> wrote: > >> Hi, >> >> [global] >> netbios name = admin >> realm = <LONG-DOMAIN> > I do hope that '<LONG-DOMAIN>' is the dns domain in uppercaseYes it is.> >> workgroup = <DOMAIN> >> dns forwarder = 8.8.8.8 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = Yes >> check password script >> /usr/share/oss/tools/check_password_complexity.sh > Are you aware that password complexity is in AD ?Yes I'm.> >> winbind enum users = Yes >> winbind enum groups = Yes > You should remove the two lines above, there are not needed and only > slow things down > >> wide links = Yes >> unix extensions = No >> template shell = /bin/bash >> ntlm auth = yes > You like living dangerously, still using NTLMv1It's for radius-server for mschapv2. Is there a better solution?> >> bind interfaces only = yes >> interfaces = 127.0.0.1, 172.16.0.2 >> comment = "CRANIX DC" >> ldap server require strong auth = no >> > Are you using a self compiled version of Samba ?I'm using self compiled samba with integrated krb5. https://build.opensuse.org/package/show/home:varkoly:OSS-4-0:stable/samba https://build.opensuse.org/package/show/home:varkoly:OSS-4-0:stable-samba-4.8.9/samba https://build.opensuse.org/package/show/home:varkoly:OSS-4-1:leap15.1/samba> or are you using a > Samba package that uses the MIT kdc ? > If the latter, you should be aware that using MIT is still regarded as > experimental and shouldn't be used in production. > > Finally, you are using a DC as a fileserver, this is not recommended, > but if you do, you can only set the permissions on the share from > Windows. This means that your shares can only look like this:This means that not all linux file system magic has effect if accessed by a windows client!?> > [groups] > comment = Shared directories of groups you are member in. > path = /home/groups > read only = No > > You also need to read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Rowland >