Web lists-archives.com

Re: [Samba] Problem with rights in samba 4.9.0




On Tue, 30 Oct 2018 14:51:32 -0300 (BRT)
"Gabriel O. Franca via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> 
> 
> good afternoon everyone, 
> 
> 
> I have a problem that I can not solve I have installed a samba 4.9.0
> in centos 7.5 using XFS. 
> 
> 
> In the DPTO share I have the departmental folders, which I gave the
> rights to the groups. 
> 
> 
> The problem: 
> 
> 
> when a user creates a file within some sub-folders the group's rights
> do not arrive in the file is read-only. 
> 
> 
> When the user accesses a website and downloads the file directly to
> the share, nobody in the group can access that file and when I go
> through windows and right click and access the security tab it
> closes. 
> 
> 
> I need some help to understand how to use acl and give rights
> correctly. 
> 
> 
> follows smb.conf 
> 
> 
> # Global parameters 
> [global] 
> netbios name = SAMBA 
> realm = NOIR.CORP 
> server role = active directory domain controller 
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = NOIR 
> ldap server require strong auth = no 
> idmap_ldb:use rfc2307 = yes 
> vfs objects = recycle acl_xattr 

Remove 'acl_xattr' it is builtin on a DC

> map acl inherit = Yes 
> store dos attributes = Yes

Same goes for the above two lines.
 
> recycle:keeptree = yes 
> recycle:versions = yes 
> recycle:repository = /dados/trash/%U 
> recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso 
> recycle:exclude_dir = tmp, cache 
> 
> [dpto] 
> path = /dados/dpto 
> read only = No 
> hide unreadable = yes 
> hide unwriteable files = yes 
> #Bloqueio de extensoes de midia no samba 
> # veto files
> = /*.mp3/*.nws/*.{*}/*.avi/*.mpeg/*.mpg/*.wma/*.wmv/*.exe #nao tentar
> fazer um lock nesses arquivos veto oplock files
> = /*.doc/*.xls/*.mdb/*.docx/*.DOC/*.DOCX/*.XLSX/*.xlsx/*.rtf/*.RTF/ 

Your main problem is that you are using a DC as a fileserver and are
trying to set up as if it is a fileserver, this doesn't work.
You need to use Windows ACL's, for more info, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba