Assumption
The fileserver is joined to a ActiveDirectory domain through Winbind
Issue
SMB/Filesystem permissions seem to not apply, if a folder is owned by a local group and the domain users are members of that group.
Observable effects are “Access denied” messages while trying to access the SMB share from a windows machine with a domain user, even though through SSH the domain user can access the respective folder.
A common scenario is, if the file server was recently integrated into a domain and there are still local, non-domain users working on it.
Some information to start with:
[root@fileserver ~]# id user
uid=900(user) gid=1000(localgroup) groups=1000(localgroup)
[root@fileserver ~]# id DOMAIN+user
uid=20000(DOMAIN+user) gid=20000(DOMAIN+domain users) groups=20000(DOMAIN+domain users),1000(localgroup),20001(DOMAIN+domaingroup),10008(BUILTIN+users)
[root@fileserver ~]# ls -la /data
drwxrwxrwx 10 root root 4096 Feb 30 13:37 .
drwxr-xr-x 28 root root 4096 Feb 30 13:37 ..
...
drwxrwx--- 6 root localgroup 4096 Feb 30 13:37 share
...
[root@fileserver ~]# getent group localgroup
localgroup:x:1000:DOMAIN+user
Solution
Mapping local users to domain users. Check option “username map”
/etc/samba/smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
password server = DC.DOMAIN.COM
winbind separator = +
security = ads
...
username map = /etc/samba/smbusers
...
[share]
comment = My share
browseable = yes
writeable = yes
readonly = no
path = /data/share
guest ok = no
create mask = 0770
directory mask = 0770
inherit acls = yes
inherit permissions = yes
/etc/samba/smbusers:
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
user = DOMAIN+user
smb.conf manpage
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html