Samba4: ACLs inheritance: owner group will be changed to “domain users” in new created files/dirsNTFS and Linux PermissionsSamba Permissions - I'm going to throw it!Configuring a truly world-writable directory for SambaSamba SGID directories and delegation of privilegesHow to configure SAMBA file server to be a windows look-alike?Samba Ignoring POSIX ACLsUsers can't access their samba shared homes from WindowsACL mask not updated when cp a directory with g=r-x to directory with default:mask::rwx and default:group::rwxFiles created by Samba always sets g+rwx when ACL is usedSamba, FreeBSD, ZFS: Group permissions are ignored
What is this dime sized black bug with white on the segments near Loveland Colorodao?
How do I write real-world stories separate from my country of origin?
Are there historical examples of audiences drawn to a work that was "so bad it's good"?
Is there a word for pant sleeves?
Gas chromatography flame ionization detector (FID) - why hydrogen gas?
Three knights or knaves, three different hair colors
Can diplomats be allowed on the flight deck of a commercial European airline?
Meaning of "half-crown enclosure"
size of pointers and architecture
Results relying on higher derived algebraic geometry
Why is 'additive' EQ more difficult to use than 'subtractive'?
Real Analysis: Proof of the equivalent definitions of the derivative.
Variable does not Exist: CaseTrigger
Nunc est bibendum: gerund or gerundive?
Proto-Indo-European (PIE) words with IPA
Which are the advantages/disadvantages of includestandalone?
Illustrating that universal optimality is stronger than sphere packing
Is being an extrovert a necessary condition to be a manager?
Team member is vehemently against code formatting
Ways to spot non-sentient, non-conscious, telepathic shapeshifters
Informal question construction: "Anyone know what...", "Everyone finished?"
How to become an Editorial board member?
Why "strap-on" boosters, and how do other people say it?
Is the default 512 byte physical sector size appropriate for SSD disks under Linux?
Samba4: ACLs inheritance: owner group will be changed to “domain users” in new created files/dirs
NTFS and Linux PermissionsSamba Permissions - I'm going to throw it!Configuring a truly world-writable directory for SambaSamba SGID directories and delegation of privilegesHow to configure SAMBA file server to be a windows look-alike?Samba Ignoring POSIX ACLsUsers can't access their samba shared homes from WindowsACL mask not updated when cp a directory with g=r-x to directory with default:mask::rwx and default:group::rwxFiles created by Samba always sets g+rwx when ACL is usedSamba, FreeBSD, ZFS: Group permissions are ignored
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Samba Version 4.3.11 on Ubuntu Xenial server (16.04)
In smb.conf I have:
Server role: ROLE_DOMAIN_MEMBER
[global]
...
inherit permissions = Yes
inherit acls = Yes
# I needed this due to another issue
server max protocol = NT1
max protocol = NT1
protocol = NT1
...
[institute]
...
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
I'm always setting/administering the shares from the linux side.
I've set a directory's acls like this:
# getfacl .
# file: .
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
Now I create underneath it a directory TEST from the Windows Client side and I look at the acls:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: domain40users
user::rwx
user:rawi:rwx
group::r-x
group:domain40users:r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:user:rawi:rwx
default:group::r-x
default:group:domain40users:r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
... the standard group is now "domain users", but not all should have any rights here, but only the group hg_pat (r-x) and hg_qm (rwx).
btw. with or without the following in the config doesn't make a difference in the inheritance
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
Without acls with only one group allowed is no problem: the sgid is doing this well.
But needing two groups allowed with different rights and thus needing acls, samba inactivates the sgid and adds the unwanted "domain users" as "CREATOR GROUP".
How can I avoid this group change and get a clean inheritance?
Thanks
Rawi
permissions samba samba4 setfacl
asked Aug 3 '18 at 11:52
rawirawi
12
add a comment |
Samba Version 4.3.11 on Ubuntu Xenial server (16.04)
In smb.conf I have:
Server role: ROLE_DOMAIN_MEMBER
[global]
...
inherit permissions = Yes
inherit acls = Yes
# I needed this due to another issue
server max protocol = NT1
max protocol = NT1
protocol = NT1
...
[institute]
...
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
I'm always setting/administering the shares from the linux side.
I've set a directory's acls like this:
# getfacl .
# file: .
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
Now I create underneath it a directory TEST from the Windows Client side and I look at the acls:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: domain40users
user::rwx
user:rawi:rwx
group::r-x
group:domain40users:r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:user:rawi:rwx
default:group::r-x
default:group:domain40users:r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
... the standard group is now "domain users", but not all should have any rights here, but only the group hg_pat (r-x) and hg_qm (rwx).
btw. with or without the following in the config doesn't make a difference in the inheritance
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
Without acls with only one group allowed is no problem: the sgid is doing this well.
But needing two groups allowed with different rights and thus needing acls, samba inactivates the sgid and adds the unwanted "domain users" as "CREATOR GROUP".
How can I avoid this group change and get a clean inheritance?
Thanks
Rawi
permissions samba samba4 setfacl
asked Aug 3 '18 at 11:52
rawirawi
12
add a comment |
Samba Version 4.3.11 on Ubuntu Xenial server (16.04)
In smb.conf I have:
Server role: ROLE_DOMAIN_MEMBER
[global]
...
inherit permissions = Yes
inherit acls = Yes
# I needed this due to another issue
server max protocol = NT1
max protocol = NT1
protocol = NT1
...
[institute]
...
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
I'm always setting/administering the shares from the linux side.
I've set a directory's acls like this:
# getfacl .
# file: .
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
Now I create underneath it a directory TEST from the Windows Client side and I look at the acls:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: domain40users
user::rwx
user:rawi:rwx
group::r-x
group:domain40users:r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:user:rawi:rwx
default:group::r-x
default:group:domain40users:r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
... the standard group is now "domain users", but not all should have any rights here, but only the group hg_pat (r-x) and hg_qm (rwx).
btw. with or without the following in the config doesn't make a difference in the inheritance
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
Without acls with only one group allowed is no problem: the sgid is doing this well.
But needing two groups allowed with different rights and thus needing acls, samba inactivates the sgid and adds the unwanted "domain users" as "CREATOR GROUP".
How can I avoid this group change and get a clean inheritance?
Thanks
Rawi
permissions samba samba4 setfacl
asked Aug 3 '18 at 11:52
rawirawi
12
Samba Version 4.3.11 on Ubuntu Xenial server (16.04)
In smb.conf I have:
Server role: ROLE_DOMAIN_MEMBER
[global]
...
inherit permissions = Yes
inherit acls = Yes
# I needed this due to another issue
server max protocol = NT1
max protocol = NT1
protocol = NT1
...
[institute]
...
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
I'm always setting/administering the shares from the linux side.
I've set a directory's acls like this:
# getfacl .
# file: .
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
Now I create underneath it a directory TEST from the Windows Client side and I look at the acls:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: domain40users
user::rwx
user:rawi:rwx
group::r-x
group:domain40users:r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:user:rawi:rwx
default:group::r-x
default:group:domain40users:r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
... the standard group is now "domain users", but not all should have any rights here, but only the group hg_pat (r-x) and hg_qm (rwx).
btw. with or without the following in the config doesn't make a difference in the inheritance
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
Without acls with only one group allowed is no problem: the sgid is doing this well.
But needing two groups allowed with different rights and thus needing acls, samba inactivates the sgid and adds the unwanted "domain users" as "CREATOR GROUP".
How can I avoid this group change and get a clean inheritance?
Thanks
Rawi
permissions samba samba4 setfacl
permissions samba samba4 setfacl
asked Aug 3 '18 at 11:52
rawirawi
12
asked Aug 3 '18 at 11:52
rawirawi
12
edited Aug 3 '18 at 12:31
rawi
asked Aug 3 '18 at 11:52
rawirawi
12
asked Aug 3 '18 at 11:52
rawirawi
12
asked Aug 3 '18 at 11:52
rawirawi
12
12
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Adding inherit owner = yes to smb.conf would preserve the group ownership you set on your parent folder to all subsequent folders created Windows-side.
You'd have something like this:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
answered May 8 at 10:47
AnneAnne
111
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f924802%2fsamba4-acls-inheritance-owner-group-will-be-changed-to-domain-users-in-new-c%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Adding inherit owner = yes to smb.conf would preserve the group ownership you set on your parent folder to all subsequent folders created Windows-side.
You'd have something like this:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
answered May 8 at 10:47
AnneAnne
111
add a comment |
Adding inherit owner = yes to smb.conf would preserve the group ownership you set on your parent folder to all subsequent folders created Windows-side.
You'd have something like this:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
answered May 8 at 10:47
AnneAnne
111
add a comment |
Adding inherit owner = yes to smb.conf would preserve the group ownership you set on your parent folder to all subsequent folders created Windows-side.
You'd have something like this:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
answered May 8 at 10:47
AnneAnne
111
Adding inherit owner = yes to smb.conf would preserve the group ownership you set on your parent folder to all subsequent folders created Windows-side.
You'd have something like this:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
answered May 8 at 10:47
AnneAnne
111
answered May 8 at 10:47
AnneAnne
111
answered May 8 at 10:47
AnneAnne
111
answered May 8 at 10:47
AnneAnne
111
111
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f924802%2fsamba4-acls-inheritance-owner-group-will-be-changed-to-domain-users-in-new-c%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
