[Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD
domains ?
Greg Byshenk
samba at byshenk.net
Mon Aug 6 14:09:37 GMT 2007
On Mon, Aug 06, 2007 at 05:27:50PM +0800, Wilkinson, Alex wrote:
> I have "FreeBSD 7.0-CURRENT #1: Wed Jul 25" authenticating successfully against
> active directory via samba's winbindd(8). I need to manage samba shares via
> FreeBSD ACLs and CIFS ACLs. From my reading of setfacl(1) I should be able to
> set group permissions using the syntax of DOMAIN\group-name. For example:
>
> #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test
>
> However, when I do this on FreeBSD -CURRENT I get the following error:
>
> #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test
> setfacl: g:MYDOMAIN\mygroupname: Invalid argument
>
> >From a quick Google it looks like Linux ACLs can do the aforementioned
> [http://www.techtutorials.net/blogs/index.php?mode=viewuser&user_id=7].
>
> Is anyone successfully managing there Samba shares via NT/AD groups using
> FreeBSD ACLs ?
FreeBSD ACLs work, as well.
sambaserver# mkdir z-test
sambaserver# chown gbytest:users z-test/
sambaserver# getfacl z-test/
#file:z-test/
#owner:1361
#group:100
user::rwx
group::r-x
mask::r-x
other::r-x
sambaserver# setfacl -m u:ADDOMAIN\\gbytest:rwx,g:ADDOMAIN\\domain\ users:rx z-test/
sambaserver# getfacl z-test/
#file:z-test/
#owner:1361
#group:100
user::rwx
user:gbytest:rwx
group::r-x
group:domain users:r-x
mask::rwx
other::r-x
sambaserver#
This is on 6-STABLE, but it has worked on CURRENT also (though I don't have a
machine running now), configured using idmap_rid (and 'winbind use default domain = yes').
At some point in the past when I was testing, I saw the same sort of errors
as above. This was before I set idmap_rid (and configured samba with experimental
modules), so it may have been related to this change.
Do the domain users/groups show up using 'id' and 'wbinfo'?
--
greg byshenk - gbyshenk at byshenk.net - Leiden, NL
More information about the samba
mailing list