[Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ?

Wilkinson, Alex alex.wilkinson at dsto.defence.gov.au
Wed Aug 8 13:05:35 GMT 2007


    0n Mon, Aug 06, 2007 at 04:09:37PM +0200, Greg Byshenk wrote: 

    >     sambaserver# setfacl -m u:ADDOMAIN\\gbytest:rwx,g:ADDOMAIN\\domain\ users:rx z-test/
    >     sambaserver# getfacl z-test/
    >     #file:z-test/
    >     #owner:1361
    >     #group:100
    >     user::rwx
    >     user:gbytest:rwx
    >     group::r-x
    >     group:domain users:r-x
    >     mask::rwx
    >     other::r-x
    >     sambaserver#
    >
    >This is on 6-STABLE, but it has worked on CURRENT also (though I don't have a
    >machine running now), configured using idmap_rid (and 'winbind use default domain = yes').
    >
    >At some point in the past when I was testing, I saw the same sort of errors
    >as above.  This was before I set idmap_rid (and configured samba with experimental
    >modules), so it may have been related to this change.
    >
    >Do the domain users/groups show up using 'id' and 'wbinfo'?

OK, well this is interesting because after extensive testing of setting group
permissions with setfacl(1) some groups work ... and some don't. And yes I can
enumerate all the groups in AD e.g.

     #wbinfo -g | wc -l
         2574

And id(1) does print the GIDs e.g

     #id -a
     uid=13340(myusername) gid=10513(domain users) groups=10513(domain users)

So I am suspecting not all groups in the AD world are the same ?
And why would I be able to assign group ACLs using some AD groups but not others ?

 -aW

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.




More information about the samba mailing list