Web lists-archives.com

Re: [Samba] Samba 4.6.4 and Excel 2016 access denied if no Group mode permission




On Tue, 13 Feb 2018 19:24:49 +0000
"Walker, Jason M \(JSC-CD42\)\[Leidos Innovations Corporation\] via
samba" <samba@xxxxxxxxxxxxxxx> wrote:

> I am encountering a problem after upgrading Samba 3.x to Samba 4.6.4
> on AIX.  When trying to update a file in Excel 2016 from Windows 10
> clients, Excel gives an error trying to save the file with an Access
> Denied message.  I first thought it was a locking option and tried
> many variations of those, but what I have found is that if the file's
> access mode is 700 (User:RWX, Group:none, Everyone:none), the user
> cannot save the file; however if the file mode is changed to 740
> (User:RWS, Group:R, Everyone:non) the user may edit/overwrite the
> file.
> 
> I do not have an issue editing and saving files with Notepad or
> Notepad++, so this may be a problem in Excel's odd behavior of
> creating a new file and overwriting the original.  But I'm not sure
> how the Group mode bits affects the behavior and whether there is
> anything I can do to work around the problem.  We very much want to
> avoid granting any Group mode permissions as we have thousands of
> users with a shared default group.
> 
> We are using ADS mode as a Member Server, and restricting to NTLMv2
> and SMB2 protocols.  Excerpt from the configuration file:
> 
> security = ADS
> workgroup = MYDOMAIN
> realm = mydomain.gov
> lanman auth = no
> ntlm auth = no
> client lanman auth = no
> client ntlmv2 auth = yes
> client min protocol = SMB2
> client schannel = auto
> client signing = auto
> client use spnego = yes
> server schannel = auto
> server signing = auto
> wins support = no
> disable netbios = yes
> restrict anonymous = yes
> server min protocol = SMB2
> acl allow execute always = yes
> nt acl support = yes
> inherit acls = yes
> map acl inherit = yes
> map archive = yes
> map hidden = no
> map read only = yes
> map system = no
> store dos attributes = yes
> inherit permissions = yes
> dos filemode = yes
> unix extensions = no

What are you actually using for authentication ?
If it is winbind, you need to set it up correctly, see here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba