Web lists-archives.com

Re: [Samba] Bit SGID on directories

On Mon, 19 Jun 2017 16:00:52 +0200
Frédéric POUGNAULT via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> I have a samba server v4.6.5, it’s a member of a Windows 2003 domain.

I don't know if you are aware, but Windows 2003 is EOL.

> I setup a share, in this share I want to set sgid bit on directories.

No don't, you might think you do, but you don't really ;-)

I am very sure we have been here already, but lets try again ;-)

You do not need to put these in smb.conf, they are all default settings and just make your smb.conf difficult to read.

use sendfile = no
smb ports = 445 139
dos charset = 850
unix charset = UTF-8
unix extensions = yes
client ntlmv2 auth = yes
host msdfs = yes
wins support = no
browseable = yes
browse list = yes
inherit acls = no
nt acl support = yes
inherit permissions = no
enhanced browsing = yes
getwd cache = yes
wide links = no

I also think you should not set these, see comments 
gpfs:getrealfilename = no # are you using AIX ? it also should be in a share now, but never mind, you haven't loaded the vfs module anyway.
os level = 2 # why bother setting this, the DC will win anyway
time server = yes # really, in an AD domain, the DC should be the time server
max protocol = SMB2 # I hope that no win 8.1 machines up will want to connect
posix locking = no # why do feel you need to set this ?
name resolve order = wins host lmhosts bcast # try setting this to 'wins bcast' if you must set it
password server = MyPasswordServer # do not set this, let Samba find the DC for you.
logon path = \\server\%U # on a fileserver ?
unix password sync = Yes # you cannot have Unix users with the same name in /etc/passwd and AD, so why set this.
passwd program = /usr/bin/passwd %u # this is for Unix users in /etc/passwd
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *password:*all*authentication*tokens*updated*successfully # this for Unix users in /etc/passwd
Pam password change = yes # not going to work
obey pam restrictions = Yes # no point, it will do nothing
wins server = MYWINS # this should be an IP, but I wouldn't bother because you are using AD
public = yes # this is allowing guest access, but 'map to guest' isn't set
lm announce = yes # do you have any OS/2 clients ?
auto services = yes # this should be a list of services, not 'yes', but I wouldn't bother setting this
remote browse sync = MyRemoteBrowseSync # do you really need to set this ?
remote announce = X.X.X.0/24 # again, do you really need to set this ?
nmbd bind explicit broadcast = no # you should not set this

What is in '/etc/samba/smb.conf.%m' ?

I would make your [global] part of the smb.conf look like this:

    workgroup = MYREALM
    security = ADS
    realm = MYREALM.COM
    netbios name = DATA30
    server string =
    winbind separator = +
    winbind cache time = 15
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes

    idmap config *:backend = tdb
    idmap config * : range = 20000-30000
    idmap config MYREALM : backend = rid
    idmap config MYREALM : range = 60000-50000000

    template homedir = /home%U
    template shell = /bin/bash

    interfaces = eth0
    bind interfaces only = true
    load printers = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    log level = 0 acls:10

Create /etc/samba/user.map containing this:

!root = MYREALM\Administrator MYREALM\administrator Administrator administrator

I would replace this share:

 comment =
 path = /home/fred
 valid users = @MYREALM+FREDGROUP
 public = no
 writable = yes
 printable = no
 browsable = yes
 preserve case = yes  
 short preserve case = yes
 default case = lower
 case sensitive = no
 msdfs root = yes
 create mask = 770
 force create mode = 670
 force directory mode = 2770
 directory mask = 770
 store dos attributes = yes

with this:

    comment =
    path = /home/fred
    read only = no

And then set the ACLs from windows, see here:


This way, you should get inheritance.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba