[Samba] Trouble managing ACLs from Windows

Johannes Engel jcnengel+samba at gmail.com
Wed Nov 8 21:53:48 UTC 2017 

Hi Rowland,
thanks a lot for your hint. After replacing sssd with winbind it seems
to work also with Windows ACLs.

Best regards
Johannes

Am 08.11.2017 um 13:20 schrieb Rowland Penny:
> On Wed, 8 Nov 2017 12:59:28 +0100
> Johannes Engel via samba <samba at lists.samba.org> wrote:
>
>> Hello list,
>>
>> following the guidance from here
>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
>> I have set up a file server which is member of a Samba 4.6.9 AD
>> domain.
>>
>> I have created ACLs using a Windows client with a domain admin
>> account. While I have no issues with some folders, the server denies
>> access to others to users that should have access by means of group
>> membership.
>>
>> I tried to simulate this using the "Effective access" tab in the
>> security settings per folder using the admin account where it shows
>> that access should be granted to the respective user. However, I
>> noted that sometimes the group SIDs are not properly resolved to the
>> names.
>>
>> The file server itself is using sssd instead of winbind. Administrator
>> is mapped to root using the mapping file, the filesystem underneath
>> the share is BTRFS.
>>
>> Any suggestion where I could dig deeper?
>>
>> The respective section from smb.conf:
>>
>> [global]
>>         realm = SAMBA.MYDOMAIN.COM
>>         security = ADS
>>         kerberos method = secrets and keytab
>>         server role = member server
>>         server services = s3fs
>>         disable netbios = yes
>>         smb ports = 445
>>         idmap_ldb:use rfc2307 = yes
>>         browseable=yes
>>         username map = /etc/samba/file.map
>>         vfs objects = streams_xattr acl_xattr
>>         map acl inherit = yes
>>         store dos attributes = yes
>>
>> [ShareName]
>>         comment = Description
>>         path = /mnt/data/sharedir
>>         read only = No
>>         vfs objects = acl_xattr recycle snapper btrfs
>>         recycle:keeptree = yes
>>         recycle:maxsize = 536870912
>>
>> Thanks a lot!
>>
>> Best regards
>> Johannes
>>
> 'server services = s3fs' & 'idmap_ldb:use rfc2307 = yes' only make
> sense on a DC.
>
> As for your problem, it very probably isn't a Samba problem, I say this
> because you are using sssd for authentication and sssd has nothing to
> do with Samba.
> You should get better help on the sssd-users mailing list.
> Failing that, purge sssd and set up windbind, see here:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Rowland
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20171108/188b3140/signature.sig>

More information about the samba mailing list