ACLs Samba 4.0

Sergey Urushkin urushkin at
Fri Dec 14 05:20:01 MST 2012

14.12.2012 15:43, Andrew Bartlett пишет:
> On Fri, 2012-12-14 at 12:36 +0100, Marc Muehlfeld wrote:
>> Am 14.12.2012 06:31, schrieb Brian May:
>>> I can access uidNumber fine as administrator, however as non-administrator
>>> I can only read my uidNumber. And uidNumber for computers. The other
>>> attributes don't appear.
>>> I think other attributes might be affected, uidNumber was the most obvious.
>>> So I haven't investigated the others in detail yet.
>>> Is this expected?
>> I saw this too, and it was introduced with rc6. But I don't know if this the 
>> same on a windows server (We don't have one).
>> Other attributes that I am missing since rc6 as normal User (but I'm sure 
>> there are more):
>> loginShell
>> primaryGroupID
>> uidNumber
>> unixHomeDirectory
>> Because I don't have a Windows server to compare, I thought it is a wanted 
>> feature. Is it?
> The next step clearly is to work out what Windows does, and then how to
> sort out either the default ACL, or the ACL interpretation (hopefully
> the latter).
> Andrew Bartlett
I have exactly the same problem. After updating our samba installation
to 4.0.0 all sssd and winbind rfc2307 installations stoped to work.
I've already tested this (ldapsearch uidnumber gidnumber ...)  with win
2008 installation, and it do allow reading this attributes.
For me workaround was:
on windows with admin rights exec this:

set LDAPBASE=dc=domain,dc=lan
dsacls cn=Users,%LDAPBASE% /I:S /G "NT AUTHORITY\Authenticated
Users":RP;uidnumber;user "NT AUTHORITY\Authenticated
Users":RP;gidnumber;user "NT AUTHORITY\Authenticated
Users":RP;loginshell;user "NT AUTHORITY\Authenticated
Users":RP;unixhomedirectory;user "NT AUTHORITY\Authenticated

But since acl iheritance are not working properly with 4.0.0, I also had
to reset all permissions of child objects before executing previous
command (note, if you have delagated something to someone in cn=users,
after this code you will need to do it again):
for /F "delims=;" %%i in ('dsquery * "cn=Users,%LDAPBASE%" -limit
100000') do (
if not %%i=="CN=Users,%LDAPBASE%" dsacls %%i /S /T

Best regards,
Sergey Urushkin

More information about the samba-technical mailing list