This is seen on both Linux and Solaris. We have a setup where we have project directory trees where the files are owned by various users but also by a group that the various users are a member of. The group permissions are set to allow group write access. With Samba 4.1.* and earlier everyone in the group can create files in these directories. With Samba 4.2.0, we get an 'Access is denied' error.
Some additional information. The unix users/groups come from nis. I am not running winbindd except occasionally as a test to see if it makes a difference. I set the group permissions using the unix command 'chmod g+w'. On many of the directories there is an acl set to force the default group permission to include write. The smb.conf is as follows: # Global parameters [global] workgroup = ADI realm = adi.com server string = security = ADS guest account = nobody2 client NTLMv2 auth = No log file = /opt/local/samba4/var/logs/%h/log.%m max log size = 1500 name resolve order = bcast host unix extensions = No client signing = if_required client ldap sasl wrapping = plain printcap name = /etc/printers.samba dns proxy = No lock directory = /var/samba/locks/%h pid directory = /var/samba/locks/%h winbind sealed pipes = No require strong key = No idmap config * : backend = tdb printing = sysv include = /opt/local/samba4/etc/smb.conf.mackerel wide links = Yes delete readonly = Yes dos filemode = Yes msdfs root = Yes [zacltest2] comment = Acl test path = /home/users/schulz/tmp read only = No inherit permissions = Yes For a directory with an ACL, the ACL looks like this: # file: acltest2 # owner: atest # group: atest user::rwx group::rwx #effective:rwx mask:rwx other:r-x default:user::rwx default:group::rwx default:mask:rwx default:other:r-x
My report is somewhat incorrect. The problem with not honoring group write permissions only occurs if winbindd is running. I never ran winbindd with Samba 4.1.*. I started running it because of the problems reported in Bug 11098. As reported there, it is possible to run Samba 4.2.* without running winbindd if I use security=ads. If I do not run winbindd then the group write permissions are honored. I just tried Samba 4.1.17 and it has the same problem with using group write permissions if winbindd is running. So this is not a regression, at least not one against 4.1.*.
you do not have a proper idmapping configuration, this is not a bug but a misconfiguration. the wiki has a number of examples for valid idmap configs.