[PATCH] Patches required for POSIX ACL support of GPOs

steve steve at steve-ss.com
Thu May 10 04:50:03 MDT 2012

On 10/05/12 12:07, Matthieu Patou wrote:
> On 05/10/2012 12:13 AM, steve wrote:
>> On 10/05/12 03:38, Andrew Bartlett wrote:
>>> These patches are in my master-devel branch, and are needed for GPO
>>> support to create the correct POSIX ACL. I would very much appreciate
>>> review, so we can consider enabling s3fs by default, and making the 4.0
>>> Beta release.
>>> https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/master-devel
>> Hi Andrew
>> I am testing s3fs but have come up against a problem on the windows side.
>> I want a folder that can only be entered by members of a group, say
>> 'staff'. I mkdir the folder and set it to 0750. But now, no one can
>> enter.
> What is the gid of the staff group ? are the windows users member of
> this group ?
> Having a windows group called staff is not enough you have to be sure
> that the gid of the windows group is the one you expect.
> The way to know what is the gid of your windows group is to use wbinfo
> for the moment with samba 4 when using s3fs.
> For instance:
> mat at mpatou-t420:/usr/local/src/samba$ ./bin/wbinfo --group-info "domain
> admins"
> Domain Admins:*:3000009:
> So if I want to limit a folder to users of the group "Domain admins" I
> have to do:
> sudo mkdir myfolder
> sudo chown root.3000009 myfolder
> sudo chmod 750 myfolder
> This folder will be only writtable by "administrator" (it's uid is 0 as
> root on the linux side) and readable by anyone in the "Domain admins"
> group.
> Matthieu.

Hi Matthiew
The gidNumber of staff is 21106. We have this attribute stored in the dn 
of the group and it can be seen via nss-ldapd and getent group. I can 
now see that the behaviour under s3fs has changed. Rather than pull the 
gidNumber from the directory, it now pulls the gidNumber as the 
xidNumber in idmapd.ldb. So I will have to change my scripts not only to 
add the gidNumber to the group dn but also write the same number as the 
xid in idmapd.

When I do that, wbinfo gives the correct information which is the same 
as what getent group gives. And all is well.

However, I still cannot manage to make the staff group rw for all staff 
members. I want a group where only staff can enter and any files they 
create can be rw by any other staff member. It sems that setting the acl 
on the linux side is not honoured in windows. (the same acl works fine 
on Linux clients). I simply want the file created to be rw-rw for group 

Could you help me make a folder where only staff members can enter and 
any files created therein are group rw.
Cheers and TIA for any help you can give me.

More information about the samba-technical mailing list