Samba Version 4.3.11 on Ubuntu Xenial server (16.04)
In smb.conf I have:
Server role: ROLE_DOMAIN_MEMBER
[global]
...
inherit permissions = Yes
inherit acls = Yes
# I needed this due to another issue
server max protocol = NT1
max protocol = NT1
protocol = NT1
...
[institute]
...
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
I'm always setting/administering the shares from the linux side.
I've set a directory's acls like this:
# getfacl .
# file: .
# owner: rawi
# group: hg_pat
# flags: -s-
user::rwx
group::r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
Now I create underneath it a directory TEST from the Windows Client side and I look at the acls:
# getfacl TEST
# file: TEST/
# owner: rawi
# group: domain\040users
user::rwx
user:rawi:rwx
group::r-x
group:domain\040users:r-x
group:hg_qm:rwx
mask::rwx
other::---
default:user::rwx
default:user:rawi:rwx
default:group::r-x
default:group:domain\040users:r-x
default:group:hg_qm:rwx
default:mask::rwx
default:other::---
… the standard group is now "domain users", but not all should have any rights here, but only the group hg_pat (r-x) and hg_qm (rwx).
btw. with or without the following in the config doesn't make a difference in the inheritance
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
Without acls with only one group allowed is no problem: the sgid is doing this well.
But needing two groups allowed with different rights and thus needing acls, samba inactivates the sgid and adds the unwanted "domain users" as "CREATOR GROUP".
How can I avoid this group change and get a clean inheritance?
Thanks
Rawi
Best Answer
Adding
inherit owner = yesto smb.conf would preserve the group ownership you set on your parent folder to all subsequent folders created Windows-side. You'd have something like this: