Web lists-archives.com

[Samba] File/dir user permissions on Samba fileserver in DC




Hi, aLL

Using Samba-4.3.5 as a AD-member - fileserver. It's running in OpenVZ container (ProxMox VE). Domain is also build on Samba-4.3.5 (another VM). Fileserver's VM is mounted with acl, user_xattr options, Samba compiled with ACL support.

There're domain users, for example, "usr1", "usr2". They're in domain group "dg1".

There's a filepath "/somepath/dir". Access to this directory is granted according to domain group membership. "usr1" can access "dir", another users from "dg1" also can access "dir", create files or directories into it. But none of "dg1" users (except "usr2" and root ofc) can't delete any files in this folder. Windows clients says "You must have permissions from usr2 to delete this file/directory". This is wrong.

Like "sticky bit" is set, but there's no it on file objects.

When file objects are created Samba sets next user rights:
===
:~# ls -l /somepath/dir

drwxrwx---  2 usr2  24 4096 mar 10 11:32 /somepath/dir
===
As we can see there, no SGUD bit on folders are set (and on parent folder too). Owner of all file objects is "usr2".
===
:~# getfacl /somepath/dir
# file: dir
# owner: usr2
# group: dg1
user::rwx
group::rwx
other::---
===

lsattr /somepath/dir also gives none bits are set.

Even if file object has 0777 rights - this doesn't help at all...

smb.conf:
===
[global]

workgroup = WG
security = ADS
realm = WG.LOCAL

netbios name = FSRV
server role = auto
encrypt passwords = yes
auth methods = winbind

log level = 0 vfs:1

idmap config * : backend = rid
idmap config * : range = 300000-400000
idmap config * : base_rid = 0
idmap config * :schema_mode = rfc2307
idmap_ldb:use rfc2307 = yes

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

max log size = 1000

syslog = 1

passdb backend = tdbsam
obey pam restrictions = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
unix password sync = yes

load printers = no
show add printer wizard = no
disable spoolss = yes
printcap name = /dev/null

os level = 1
case sensitive = no
hide unreadable = yes
#hide unwriteable files = yes
log writeable files on exit = yes

deadtime = 600
ea support = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY..

#======================= Share Definitions =======================
[q]
    comment = File share
    browseable = yes
    path = /somepath
    guest ok = no
    read only = no
    delete readonly = yes
    strict sync = yes
    sync always = yes

    inherit permissions = Yes
    inherit acls = Yes
    inherit owner = Yes
    map acl inherit = yes
    nt acl support = yes

    map system = yes
    veto files = /.snap/quota*/*.vmx/autorun.inf/

    valid users = +WG\all WG\admin
    admin users = +WG\it  WG\admin

    hide unreadable = yes
    vfs objects= acl_xattr

    access based share enum = yes
    map acl inherit = yes
    acl check permissions = yes
    map system = yes
===

What I'm doing wrong?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba