Rowland penny
2020-Dec-12 18:22 UTC
[Samba] Permission issue with home directory and groups with deny access
On 12/12/2020 17:48, doomas at gmx.ch wrote:> >> >> >> > I don't know. The numbers match however with getent output: > > #getent group > ... > share_schueler_rw:x:11224: > nxc_grp_benutzer:x:11161: > nxc_grp_schueler:x:11162: > share_benutzer_d:x:11226: > share_benutzer_r:x:11227: > share_config_rwx:x:11213: > share_klassen_rw:x:11234: > share_lehrer_rwx:x:11181: > share_schueler_d:x:11222: > share_schueler_r:x:11223: > ...Ah, I see the problem now, somehow you seem to have added the groups as users, now on Windows this wouldn't be a problem because Windows allows groups to own things, but Unix normally doesn't. I say normally because a Samba AD DC does allow groups to own things (just as long as you do not add a gidNumber to the group). I would revisit the point where you added the groups to the share (Actually, why did you add the groups?) and ensure that they are added as groups and not users. Rowland
doomas at gmx.ch
2020-Dec-12 22:22 UTC
[Samba] Permission issue with home directory and groups with deny access
Am 12.12.20 um 19:22 schrieb Rowland penny via samba:> On 12/12/2020 17:48, doomas at gmx.ch wrote: >> >>> >>> >>> >> I don't know. The numbers match however with getent output: >> >> #getent group >> ... >> share_schueler_rw:x:11224: >> nxc_grp_benutzer:x:11161: >> nxc_grp_schueler:x:11162: >> share_benutzer_d:x:11226: >> share_benutzer_r:x:11227: >> share_config_rwx:x:11213: >> share_klassen_rw:x:11234: >> share_lehrer_rwx:x:11181: >> share_schueler_d:x:11222: >> share_schueler_r:x:11223: >> ... > > Ah, I see the problem now, somehow you seem to have added the groups > as users, now on Windows this wouldn't be a problem because Windows > allows groups to own things, but Unix normally doesn't. I say normally > because a Samba AD DC does allow groups to own things (just as long as > you do not add a gidNumber to the group). I would revisit the point > where you added the groups to the share (Actually, why did you add the > groups?) and ensure that they are added as groups and not users. > > Rowland > > >I've set the permissions for the share on windows in the "Advanced Security Settings". All groups that I assign this way will be added automatically also as user (eg: "user:11123:rwx") to the ACL. I thought this is normal. The same behavior I see on 3 other samba installations that i manage(and all is running smoothly since many years) I add 4 groups (deny, read, write, full) on every share(except user home directories). It's just a way to manage the access privileges on shares. If they are there from the beginning I almost never need to touch the access rights on a share again. I just add user/groups to this 4 groups as needed. This is just the first time I added this groups(deny, read, write, full) to a share for user home directories, because I need to allow certain groups/user to access all the home directories. And so I stumbled upon this problem that when the "Deny Group"(Denies all privileges on the share. It is just an empty group with no group/users assigned) is added to the share, the home directory creation with " Active Directory Users and Computers" seems to not? setup the permissions on the folder properly. Like I said, it's not really a big issue for me. I just don't add the "Deny Group" on a share for user home folders. It seems to me just like a bug(Maybe not even in samba, I try to test this next week on an windows server). Thomas