Bug 11192 - Group write permission not honored running winbind
Group write permission not honored running winbind
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.2.0
x64 Linux
: P5 major
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-02 18:52 UTC by Tom Schulz
Modified: 2015-04-21 17:58 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Schulz 2015-04-02 18:52:38 UTC
This is seen on both Linux and Solaris. We have a setup where we have project directory trees where the files are owned by various users but also by a group that the various users are a member of. The group permissions are set to allow group write access. With Samba 4.1.* and earlier everyone in the group can create files in these directories. With Samba 4.2.0, we get an 'Access is denied' error.
Comment 1 Tom Schulz 2015-04-14 18:04:35 UTC
Some additional information.

The unix users/groups come from nis. I am not running winbindd except
occasionally as a test to see if it makes a difference. I set the group
permissions using the unix command 'chmod g+w'. On many of the directories
there is an acl set to force the default group permission to include
write.

The smb.conf is as follows:

# Global parameters
[global]
        workgroup = ADI
        realm = adi.com
        server string = 
        security = ADS
        guest account = nobody2
        client NTLMv2 auth = No
        log file = /opt/local/samba4/var/logs/%h/log.%m
        max log size = 1500
        name resolve order = bcast host
        unix extensions = No
        client signing = if_required
        client ldap sasl wrapping = plain
        printcap name = /etc/printers.samba
        dns proxy = No
        lock directory = /var/samba/locks/%h
        pid directory = /var/samba/locks/%h
        winbind sealed pipes = No
        require strong key = No
        idmap config * : backend = tdb
        printing = sysv
        include = /opt/local/samba4/etc/smb.conf.mackerel
        wide links = Yes
        delete readonly = Yes
        dos filemode = Yes
        msdfs root = Yes

[zacltest2]
        comment = Acl test
        path = /home/users/schulz/tmp
        read only = No
        inherit permissions = Yes


For a directory with an ACL, the ACL looks like this:

# file: acltest2
# owner: atest
# group: atest
user::rwx
group::rwx              #effective:rwx
mask:rwx
other:r-x
default:user::rwx
default:group::rwx
default:mask:rwx
default:other:r-x
Comment 2 Tom Schulz 2015-04-21 17:58:00 UTC
My report is somewhat incorrect. The problem with not honoring group write permissions only occurs if winbindd is running. I never ran winbindd with Samba 4.1.*. I started running it because of the problems reported in Bug 11098. As reported there, it is possible to run Samba 4.2.* without running winbindd if I use security=ads. If I do not run winbindd then the group write permissions are honored.

I just tried Samba 4.1.17 and it has the same problem with using group write permissions if winbindd is running. So this is not a regression, at least not one against 4.1.*.