Samba - ACL permissions

I am running Samba 4.6 on FreeBSD 11 with ZFS. Each user belongs to the fileserver group. In addition, there are additional groups for each department, such as sales group.

And here comes my problem. On the server is a folder called sales. Which is owned by fileserver and the group sales. Why can't my group members from sales overwrite files via Windows inside this folder. Using a shell access the editing works without any problems.

Under Windows appears the message "Access to the destination folder has been denied" when I try to overwrite a file. New files can be created inside the sales folder without a problem. Renaming also works

folder sales
Code:
chmod 770 sales
chown fileserver:sales

# file: sales
# owner: fileserver
# group: sales
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
File inside sales folder
Code:
chmod 770 test.txt
chown fileserver:sales

# file: test.txt
# owner: fileserver
# group: sales
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
changing the file to
Code:
group@:rwxp-da-R-c--s:-------:allow
or
Code:
group@:rwxpDda-R-c-os:-------:allow
has no effect. Only when I give the group the same permission as the file
Code:
group@:rwxp--aARWcCos:-------:allow
then I can delete the file from windows.

Can someone please explain to me what I am doing wrong. I already spend hours to figured it out.
 
Please post the relevant section(s) from smb4.conf.
 
Code:
smb4.conf
[global]
# Logging
log level = 3
log file = /var/log/samba4/log.%m
max log size = 50
utmp = 0

# Domain & controller & workgroups
server string = NAS Server
workgroup = COMPANY
server string = NAS
netbios name = NAS

# Network restriction
bind interfaces only = yes
interfaces = lo0 igb0

# Security model
security = user
encrypt passwords = true
map to guest = bad user

# Time server
time server = yes

map hidden = no
map system = no
map archive = no
map readonly = no

store dos attributes = yes

ea support = yes
access based share enum = yes
load printers = no

template homedir = /fileserver/users/%U
allow insecure wide links = yes

[data]
comment = Data
path = /fileserver/data
valid users = +fileserver

browsable = yes
writable = yes
read only = no
guest ok = no
public = no
follow symlinks = yes
wide links = yes

create mask = 0770
force create mode = 0760
directory mask = 2770
force directory mode = 2770

hide unreadable = yes

vfs objects = shadow_copy2 zfsacl recycle crossrename
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = %Y-%m-%d-%H%M

recycle:directory_mode = 0750
recycle:subdir_mode = 0750
recycle:exclude = *.tmp *.temp *.swp
recycle:keeptree = yes
recycle:repository = Trash/%U
recycle:versions = yes
recycle:touch = yes
recycle:touch_mtime = yes

nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes

crossrename:sizelimit = 50
 
I am running Samba 4.6 on FreeBSD 11 with ZFS. Each user belongs to the fileserver group. In addition, there are additional groups for each department, such as sales group.

Just trying to clear things out here, are you trying to own a file by two groups?
As you stated above, fileserverGROUP and additional GROUP for each department?

As I understand you tried to get permissions as such:
chown group:group

When you did:
chown fileserver:sales

You made the user fileserver userowner and sales groupowner.
This means that not all users in the group fileserver have access as defined by the first digit of the permissions. Only the user fileserver has those permissions.
 
I have a USER:fileserver and the GROUP:fileserver
Members for GROUP:fileserver are: the USER fileserver and everybody who has access to the server

In default USER:fileserver owns most of the files on the server. I had to start from somewhere.

Public files belong to the GROUP:fileserver. So that everybody can read or even modify these files depending on the group rights.

Departments like sales have their own group with special rights.

chown fileserver:group test.txt should be deleteable with the 770. From the terminal it is possable, for group members from a windows pc it is not. Only when I give the same rights as the owner

Code:
owner@:rwxp--aARWcCos:-------:allow.
In this case fileserver

But this doesnt make sense to me. Here w permission is enough without any delete permission. But for the group it is not enough

Code:
group@:rwxp--a-R-c--s:-------:allow
In this case sales.
 
If someone creates a file in one of those directories, what permissions does it have? That's where you need to start looking.

My guess is that the file owner has full permission, the groups read and possibly execute and that's it. And that's also your problem.

Look into the 'create mask' and optionally the 'directory mask' directives for smb4.conf.
 
create mask = 0770
force create mode = 0760
directory mask = 2770
force directory mode = 2770

I initialised the file permissions inside the sales directory to 0770 and the directory has 2770. This has no effect on the fault message that I get from windows. And again. When I am logged in via a terminal session with a user from the sales group overwriting is not a problem. When I try to do it from windows appears the message "Access to the destination folder has been denied"
 
I don't think this is permission related. If you use smbstatus you may find that the file is locked by a process for the given user. Do you have any pointing messages in the log files?
You may try to restart samba and see if you can alter the file.
 
This may be a long shot but do you have ZFS always set aclmode and aclinherit to passthrough on datasets for SAMBA? Also, Windows Search on directories requires allow on at least the rxaRc privileges.
 
You didn't answer my question though. So when someone creates a file or entry: "what permissions does it have?".
Newly created files
Code:
# file: newfile.txt
# owner: "The user who created the file"
# group: sales
            owner@:rwxp--aARWcCos:-------:allow
            group@:rw-p--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
 
Back
Top