Using Samba+winbind 3.3.8 as a fileserver on a Win2008 domain. getent and wbinfo is reporting correct informations about users. However, my groups directories are allowing people who shouldn't .. From the shell everything is working as expected, but not from samba.. What did I miss !?
Exported share: /export/users drwxr-x---+ 7 root root 4096 Mar 18 14:57 group # (teams directories) \---- tech \--- prod - Working from shell # su prod-user $ ls tech/ ls: tech/: Permission denied - Not working from smbclient # smbclient -U prod-user //fileserver/share Domain=[FOO] OS=[Unix] Server=[Samba 3.3.8-0.52.el5_5.2] smb: \> cd group/tech/ smb: \group\tech\> ---------- Group -- # getent group | grep prod-user prod:*:10004:prod-user,(...) ---------- Acls -- # file: group # owner: root # group: root user::rwx group::r-x group:domain\040users:r-x mask::r-x other::--- # file: group/tech # owner: root # group: root user::--- group::--- group:tech:rwx mask::rwx other::--- default:user::--- default:group::--- default:group:tech:rwx default:mask::rwx default:other::--- ---------- Build options -- # smbd -b | grep -i acl HAVE_SYS_ACL_H HAVE_ACL_LIBACL_H HAVE_POSIX_ACLS vfs_acl_tdb_init vfs_acl_xattr_init pdb_ldap pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2 rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog2 rpc_samr idmap_ldap idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin vfs_default vfs_posixacl ---------- smb.conf -- [global] workgroup = FOO realm = FOO.BAR local master = no domain master = no preferred master = no server string = SOVO File Server security = ads encrypt passwords = yes password server = dc1.foo.bar, dc2.foo.bar log level = 3 log file = /var/log/samba/%m max log size = 50 load printers = no printcap name = /dev/null disable spoolss = yes show add printer wizard = no client ntlmv2 auth = yes winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind refresh tickets = yes winbind reconnect delay = 15 winbind separator = + winbind cache time = 120 winbind nss info = rfc2307 winbind offline logon = true passdb backend = tdbsam idmap negative cache time = 120 idmap cache time = 900 idmap config FOO : backend = ad idmap config FOO : readonly = yes idmap config FOO : schema_mode = rfc2307 idmap config FOO : range = 10000-4000000000 idmap uid = 10000-20000 idmap gid = 10000-20000 nt acl support = no acl check permissions = true acl compatibility = auto acl group control = no acl map full control = false [share] path = /export/users writable = yes browseable = yes hide unreadable = yes hide dot files=yes hide files=/lost+found/ valid users = @tech @man @prod -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba