# Samba - ACL permissions



## PaulAtreides (Nov 6, 2017)

I am running Samba 4.6 on FreeBSD 11 with ZFS. Each user belongs to the fileserver group. In addition, there are additional groups for each department, such as sales group.

And here comes my problem. On the server is a folder called sales. Which is owned by fileserver and the group sales. Why can't my group members from sales overwrite files via Windows inside this folder. Using a shell access the editing works without any problems.

Under Windows appears the message "Access to the destination folder has been denied" when I try to overwrite a file. New files can be created inside the sales folder without a problem. Renaming also works

folder sales

```
chmod 770 sales
chown fileserver:sales

# file: sales
# owner: fileserver
# group: sales
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
```
File inside sales folder

```
chmod 770 test.txt
chown fileserver:sales

# file: test.txt
# owner: fileserver
# group: sales
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
```
changing the file to 

```
group@:rwxp-da-R-c--s:-------:allow
```
or

```
group@:rwxpDda-R-c-os:-------:allow
```
has no effect. Only when I give the group the same permission as the file

```
group@:rwxp--aARWcCos:-------:allow
```
then I can delete the file from windows.

Can someone please explain to me what I am doing wrong. I already spend hours to figured it out.


----------



## SirDice (Nov 6, 2017)

Please post the relevant section(s) from smb4.conf.


----------



## PaulAtreides (Nov 6, 2017)

```
smb4.conf
[global]
# Logging
log level = 3
log file = /var/log/samba4/log.%m
max log size = 50
utmp = 0

# Domain & controller & workgroups
server string = NAS Server
workgroup = COMPANY
server string = NAS
netbios name = NAS

# Network restriction
bind interfaces only = yes
interfaces = lo0 igb0

# Security model
security = user
encrypt passwords = true
map to guest = bad user

# Time server
time server = yes

map hidden = no
map system = no
map archive = no
map readonly = no

store dos attributes = yes

ea support = yes
access based share enum = yes
load printers = no

template homedir = /fileserver/users/%U
allow insecure wide links = yes

[data]
comment = Data
path = /fileserver/data
valid users = +fileserver

browsable = yes
writable = yes
read only = no
guest ok = no
public = no
follow symlinks = yes
wide links = yes

create mask = 0770
force create mode = 0760
directory mask = 2770
force directory mode = 2770

hide unreadable = yes

vfs objects = shadow_copy2 zfsacl recycle crossrename
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = %Y-%m-%d-%H%M

recycle:directory_mode = 0750
recycle:subdir_mode = 0750
recycle:exclude = *.tmp *.temp *.swp
recycle:keeptree = yes
recycle:repository = Trash/%U
recycle:versions = yes
recycle:touch = yes
recycle:touch_mtime = yes

nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes

crossrename:sizelimit = 50
```


----------



## PaulAtreides (Nov 9, 2017)

Nobody knows ... sigh


----------



## driesm (Nov 9, 2017)

PaulAtreides said:


> I am running Samba 4.6 on FreeBSD 11 with ZFS. Each user belongs to the fileserver group. In addition, there are additional groups for each department, such as sales group.



Just trying to clear things out here, are you trying to own a file by two groups?
As you stated above, fileserverGROUP and additional GROUP for each department?

As I understand you tried to get permissions as such:
`chown group:group`

When you did:
`chown fileserver:sales`

You made the user fileserver userowner and sales groupowner.
This means that not all users in the group fileserver have access as defined by the first digit of the permissions. Only the *user* fileserver has those permissions.


----------



## PaulAtreides (Nov 10, 2017)

I have a *USER:fileserver* and the *GROUP:fileserver*
Members for *GROUP:fileserver* are: the USER fileserver and everybody who has access to the server

In default *USER:fileserver* owns most of the files on the server. I had to start from somewhere.

Public files belong to the *GROUP:fileserver.* So that everybody can read or even modify these files depending on the group rights.

Departments like sales have their own group with special rights.

chown fileserver:group test.txt should be deleteable with the 770. From the terminal it is possable, for group members from a windows pc it is not. Only when I give the same rights as the owner


```
owner@:rwxp--aARWcCos:-------:allow.
```
In this case fileserver

But this doesnt make sense to me. Here w permission is enough without any delete permission. But for the group it is not enough


```
group@:rwxp--a-R-c--s:-------:allow
```
In this case sales.


----------



## ShelLuser (Nov 10, 2017)

If someone creates a file in one of those directories, what permissions does it have? That's where you need to start looking.

My guess is that the file owner has full permission, the groups read and possibly execute and that's it. And that's also your problem.

Look into the 'create mask' and optionally the 'directory mask' directives for smb4.conf.


----------



## PaulAtreides (Nov 10, 2017)

create mask = 0770
force create mode = 0760
directory mask = 2770
force directory mode = 2770

I initialised the file permissions inside the sales directory to 0770 and the directory has 2770. This has no effect on the fault message that I get from windows. And again. When I am logged in via a terminal session with a user from the sales group overwriting is not a problem. When I try to do it from windows appears the message "Access to the destination folder has been denied"


----------



## ShelLuser (Nov 11, 2017)

You didn't answer my question though. So when someone creates a file or entry: "_what permissions does it have?_".


----------



## von_Gaden (Nov 12, 2017)

I don't think this is permission related. If you use `smbstatus` you may find that the file is locked by a process for the given user. Do you have any pointing messages in the log files?
You may try to restart `samba` and see if you can alter the file.


----------



## w5plt (Nov 15, 2017)

This may be a long shot but do you have ZFS always set `aclmode` and `aclinherit` to passthrough on datasets for SAMBA?  Also, Windows Search on directories requires `allow` on at least the `rxaRc` privileges.


----------



## PaulAtreides (Nov 15, 2017)

ShelLuser said:


> You didn't answer my question though. So when someone creates a file or entry: "_what permissions does it have?_".


Newly created files

```
# file: newfile.txt
# owner: "The user who created the file"
# group: sales
            owner@:rwxp--aARWcCos:-------:allow
            group@:rw-p--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
```


----------

