Bug 11192 - Group write permission not honored running winbind
Summary: Group write permission not honored running winbind
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.2.0
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-04-02 18:52 UTC by Tom Schulz
Modified: 2018-02-13 22:57 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Tom Schulz 2015-04-02 18:52:38 UTC
This is seen on both Linux and Solaris. We have a setup where we have project directory trees where the files are owned by various users but also by a group that the various users are a member of. The group permissions are set to allow group write access. With Samba 4.1.* and earlier everyone in the group can create files in these directories. With Samba 4.2.0, we get an 'Access is denied' error.
Comment 1 Tom Schulz 2015-04-14 18:04:35 UTC
Some additional information.

The unix users/groups come from nis. I am not running winbindd except
occasionally as a test to see if it makes a difference. I set the group
permissions using the unix command 'chmod g+w'. On many of the directories
there is an acl set to force the default group permission to include

The smb.conf is as follows:

# Global parameters
        workgroup = ADI
        realm = adi.com
        server string = 
        security = ADS
        guest account = nobody2
        client NTLMv2 auth = No
        log file = /opt/local/samba4/var/logs/%h/log.%m
        max log size = 1500
        name resolve order = bcast host
        unix extensions = No
        client signing = if_required
        client ldap sasl wrapping = plain
        printcap name = /etc/printers.samba
        dns proxy = No
        lock directory = /var/samba/locks/%h
        pid directory = /var/samba/locks/%h
        winbind sealed pipes = No
        require strong key = No
        idmap config * : backend = tdb
        printing = sysv
        include = /opt/local/samba4/etc/smb.conf.mackerel
        wide links = Yes
        delete readonly = Yes
        dos filemode = Yes
        msdfs root = Yes

        comment = Acl test
        path = /home/users/schulz/tmp
        read only = No
        inherit permissions = Yes

For a directory with an ACL, the ACL looks like this:

# file: acltest2
# owner: atest
# group: atest
group::rwx              #effective:rwx
Comment 2 Tom Schulz 2015-04-21 17:58:00 UTC
My report is somewhat incorrect. The problem with not honoring group write permissions only occurs if winbindd is running. I never ran winbindd with Samba 4.1.*. I started running it because of the problems reported in Bug 11098. As reported there, it is possible to run Samba 4.2.* without running winbindd if I use security=ads. If I do not run winbindd then the group write permissions are honored.

I just tried Samba 4.1.17 and it has the same problem with using group write permissions if winbindd is running. So this is not a regression, at least not one against 4.1.*.
Comment 3 Björn Jacke 2018-02-13 22:57:20 UTC
you do not have a proper idmapping configuration, this is not a bug but a misconfiguration. the wiki has a number of examples for valid idmap configs.