Re: [Samba] Bit SGID on directories
- Date: Mon, 19 Jun 2017 16:51:32 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Bit SGID on directories
On Mon, 19 Jun 2017 16:00:52 +0200
Frédéric POUGNAULT via samba <samba@xxxxxxxxxxxxxxx> wrote:
> I have a samba server v4.6.5, it’s a member of a Windows 2003 domain.
I don't know if you are aware, but Windows 2003 is EOL.
> I setup a share, in this share I want to set sgid bit on directories.
No don't, you might think you do, but you don't really ;-)
I am very sure we have been here already, but lets try again ;-)
You do not need to put these in smb.conf, they are all default settings and just make your smb.conf difficult to read.
use sendfile = no
smb ports = 445 139
dos charset = 850
unix charset = UTF-8
unix extensions = yes
client ntlmv2 auth = yes
host msdfs = yes
wins support = no
browseable = yes
browse list = yes
inherit acls = no
nt acl support = yes
inherit permissions = no
enhanced browsing = yes
getwd cache = yes
wide links = no
I also think you should not set these, see comments
gpfs:getrealfilename = no # are you using AIX ? it also should be in a share now, but never mind, you haven't loaded the vfs module anyway.
os level = 2 # why bother setting this, the DC will win anyway
time server = yes # really, in an AD domain, the DC should be the time server
max protocol = SMB2 # I hope that no win 8.1 machines up will want to connect
posix locking = no # why do feel you need to set this ?
name resolve order = wins host lmhosts bcast # try setting this to 'wins bcast' if you must set it
password server = MyPasswordServer # do not set this, let Samba find the DC for you.
logon path = \\server\%U # on a fileserver ?
unix password sync = Yes # you cannot have Unix users with the same name in /etc/passwd and AD, so why set this.
passwd program = /usr/bin/passwd %u # this is for Unix users in /etc/passwd
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *password:*all*authentication*tokens*updated*successfully # this for Unix users in /etc/passwd
Pam password change = yes # not going to work
obey pam restrictions = Yes # no point, it will do nothing
wins server = MYWINS # this should be an IP, but I wouldn't bother because you are using AD
public = yes # this is allowing guest access, but 'map to guest' isn't set
lm announce = yes # do you have any OS/2 clients ?
auto services = yes # this should be a list of services, not 'yes', but I wouldn't bother setting this
remote browse sync = MyRemoteBrowseSync # do you really need to set this ?
remote announce = X.X.X.0/24 # again, do you really need to set this ?
nmbd bind explicit broadcast = no # you should not set this
What is in '/etc/samba/smb.conf.%m' ?
I would make your [global] part of the smb.conf look like this:
workgroup = MYREALM
security = ADS
realm = MYREALM.COM
netbios name = DATA30
server string =
winbind separator = +
winbind cache time = 15
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config *:backend = tdb
idmap config * : range = 20000-30000
idmap config MYREALM : backend = rid
idmap config MYREALM : range = 60000-50000000
template homedir = /home%U
template shell = /bin/bash
interfaces = eth0
bind interfaces only = true
load printers = no
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
log level = 0 acls:10
Create /etc/samba/user.map containing this:
!root = MYREALM\Administrator MYREALM\administrator Administrator administrator
I would replace this share:
path = /home/fred
valid users = @MYREALM+FREDGROUP
public = no
writable = yes
printable = no
browsable = yes
preserve case = yes
short preserve case = yes
default case = lower
case sensitive = no
msdfs root = yes
create mask = 770
force create mode = 670
force directory mode = 2770
directory mask = 770
store dos attributes = yes
path = /home/fred
read only = no
And then set the ACLs from windows, see here:
This way, you should get inheritance.
To unsubscribe from this list go to the following URL and read the