Hello, I have a Fedora server, part of a domain, on which various shares are configured. For one share, I want to set up permissions according to the groups to which the users belong. But it doesn't work. For example, I want the share to be accessible by group A in read-write mode, and group B in read-only mode. I use setfacl for this. But neither group A nor group B have access to the share: "Access Denied". The only way to access it is to authorize the "Domain Users" group or users instead of groups. On servers, groups are recognized (wbinfo -g), as is user group membership (wbinfo -r). Below is my smb.conf file (Samba 4.19.4). Can you tell me what's wrong? Thanks a lot! ======== [global] workgroup = MYDOM realm = MYDOM.FR security = ADS bind interfaces only = yes interfaces = lo eno1 log level = 3 passdb:5 auth:5 log file = /var/log/samba/%U.log max log size = 50000 map to guest = bad uid template shell = /bin/bash template homedir = /home/%U username map script = /bin/echo idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYDOM:backend = ad idmap config MYDOM:schema_mode = rfc2307 idmap config MYDOM:range = 10000-999999 idmap config MYDOM:unix_nss_info = yes acl allow execute always = yes vfs objects = acl_xattr map acl inherit = yes unix extensions = no [ressources] path = /data/ressources/ browseable = no read only = no force create mode = 770 force directory mode = 770 csc policy = disable follow symlinks = yes wide links = yes hide dot files = yes hide files = /desktop.ini/$RECYCLE.BIN/ vfs objects = recycle recycle:repository = /data/ressources/.recycle/%U recycle:keeptree = yes recycle:versions = yes recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP recycle:excludedir = /recycle,/tmp,/temp,/TMP,/TEMP
On Fri, 23 Feb 2024 08:13:08 +0100 Nicolas Boiss? via samba <samba at lists.samba.org> wrote:> Hello, > > I have a Fedora server, part of a domain, on which various shares are > configured. > > For one share, I want to set up permissions according to the groups > to which the users belong. But it doesn't work. For example, I want > the share to be accessible by group A in read-write mode, and group B > in read-only mode. I use setfacl for this. But neither group A nor > group B have access to the share: "Access Denied". > The only way to access it is to authorize the "Domain Users" group or > users instead of groups. > > On servers, groups are recognized (wbinfo -g), as is user group > membership (wbinfo -r).Yes, but does 'getent group <GROUP_NAME>' show anything ? 'wbinfo' just shows what is in AD, it is meaningless to Unix.> > Below is my smb.conf file (Samba 4.19.4). > > Can you tell me what's wrong? Thanks a lot! > > ========> > [global] > > workgroup = MYDOM > realm = MYDOM.FR > security = ADS > > bind interfaces only = yes > interfaces = lo eno1 > > log level = 3 passdb:5 auth:5 > log file = /var/log/samba/%U.log > max log size = 50000 > > map to guest = bad uidWhy 'bad uid' ? Guest access in AD is a bad idea at the best of times and if you are going to use it, then 'bad user' would be a better option, see 'man smb.conf'.> > template shell = /bin/bash > template homedir = /home/%U > > username map script = /bin/echoWhy '/bin/echo' ?> > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config MYDOM:backend = ad > idmap config MYDOM:schema_mode = rfc2307 > idmap config MYDOM:range = 10000-999999 > idmap config MYDOM:unix_nss_info = yes > > acl allow execute always = yes > > vfs objects = acl_xattr > map acl inherit = yes > > unix extensions = no > > > [ressources] > path = /data/ressources/ > browseable = no > read only = no > force create mode = 770 > force directory mode = 770 > csc policy = disable > follow symlinks = yes > wide links = yes > hide dot files = yes > hide files = /desktop.ini/$RECYCLE.BIN/ > vfs objects = recycleDid you know that setting 'vfs objects = recycle' in this share, overrides the 'vfs objects = acl_xattr' you have set in 'global', or to put it another way, you are only getting standard Linux ugo permissions on this share, no extended ACL's. Rowland
You need to set vfs_acl_xattr on the share also: [ressources] vfs objects = recycle vfs_acl_xattr If you set it only globally, it will be overridden by any other "vfs objects line" in a particular share, so you need to declare it again explicitly for the share.