The fileserver is joined to a ActiveDirectory domain through Winbind
SMB/Filesystem permissions seem to not apply, if a folder is owned by a local group and the domain users are members of that group.
Observable effects are “Access denied” messages while trying to access the SMB share from a windows machine with a domain user, even though through SSH the domain user can access the respective folder.
A common scenario is, if the file server was recently integrated into a domain and there are still local, non-domain users working on it.
Some information to start with:
[root@fileserver ~]# id user uid=900(user) gid=1000(localgroup) groups=1000(localgroup) [root@fileserver ~]# id DOMAIN+user uid=20000(DOMAIN+user) gid=20000(DOMAIN+domain users) groups=20000(DOMAIN+domain users),1000(localgroup),20001(DOMAIN+domaingroup),10008(BUILTIN+users) [root@fileserver ~]# ls -la /data drwxrwxrwx 10 root root 4096 Feb 30 13:37 . drwxr-xr-x 28 root root 4096 Feb 30 13:37 .. ... drwxrwx--- 6 root localgroup 4096 Feb 30 13:37 share ... [root@fileserver ~]# getent group localgroup localgroup:x:1000:DOMAIN+user
Mapping local users to domain users. Check option “username map”
[global] workgroup = DOMAIN realm = DOMAIN.COM password server = DC.DOMAIN.COM winbind separator = + security = ads ... username map = /etc/samba/smbusers ... [share] comment = My share browseable = yes writeable = yes readonly = no path = /data/share guest ok = no create mask = 0770 directory mask = 0770 inherit acls = yes inherit permissions = yes
# Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest user = DOMAIN+user