[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

L.P.H. van Belle belle at bazuin.nl
Fri Sep 7 12:34:17 UTC 2018


Sorry to intrude this.. But please read my notes. 

> > 
> > @Andrew
> > Please guide if we can find any other way to distinguish between
> > group SID and individual user SID to get the access control right
> > with NFS4 ACL plugin. Without this, the plugin is not practically
> > usable in AD environment. Can we tweak winbind configuration to
> > return different uid and gid?
> You need to assume that a SID can be both a user and a group, if
> winbind says so.  In that case the user component 'owns' the file (if
> it is the owner) and the gid is given group rights. 
> This also happens in particular for domain admins, which often owns
> files but is of course a group, for group policy in sysvol.

This "asumption" of Andrew is in my opinion wrong. 
I'll explain. 

I hope he did mean or : DOMAIN\Administrators or ( which is the same as ) BUILTIN\Administrators 
But no DOMAIN\Domain Admins is used on sysvol in "FILE/SHARE" rights. 
"Domain admins" is member of the above group BUILTIN\Administrators and inherits it rights. 

The "FILE/FOLDER" rights on a normal windows server, 
run : icacls c:\Windows\SYSVOL which shows. 

NT AUTHORITY\Authenticated Users:(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Server Operators:(RX)
BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)

Primary it involves these SID's where the samba problem is as far i know.
( looks about the same as : https://bugzilla.samba.org/show_bug.cgi?id=13532 ) 

Where, what, is set by default?

And when you look at the "Linked GPO's" within the AD, there, it shows other rights. 
The Default Domain Policy with a GPO editor, it shows for example. 
Domain Admins	( DOMAIN\Domain Admins ) 
Enterprise Admins	( DOMAIN\Enterprise Admins)
(looks about the same as : https://bugzilla.samba.org/show_bug.cgi?id=12236) 

Beware of the misunderstanding of the 
- share rights on sysvol
- file/folder rights in sysvol
- The sysvol rights with the AD. 
( looks about the same as : https://bugzilla.samba.org/show_bug.cgi?id=11757 ) 

This is why i use my script to set "correct" rights in samba sysvol and netlogon. 
Found here: 
Which set the windows 2008R2 rights, which i took from my 2008R2 server. 

Let hope this info give someone a great idea ;-) 

I suggest also, ask Rowland, we discused this already a lot on the samba list.
I know he made some patches for the GPO rights fix also, but i cant find that back in the bugzilla list. 



More information about the samba-technical mailing list