[Samba] ACLs set in Windows not honored

Fri Apr 24 17:39:23 GMT 2009

Hi All,

I am in the process of trying to build a Samba server to replace our
aging EMC Celerra file server appliance.  The goal, ultimately, is to
build a file server on which we can migrate a file share from the
Celerra (ACL permissions and all) over to Samba, where the file share
can be exported via NFS as well as Samba, AND the permissions we see
in Linux are what we see in Windows (as well as the permissions we set
in one environment being valid in the other).  I am *very* close, but
have made a perplexing discovery: I have noticed that if I use a
Windows tool (Windows Explorer, Robocopy, etc) to set the permissions,
the permissions don't seem to be getting honored.  If I set the same
ACL permissions from the Linux command line, everything works fine.
It seems that the AD user is not mapping to the UNIX user as I would
expect.

For this example, I'll describe a simple test.

SETUP: Let's suppose I have a Samba server joined to our Active
Directory domain, EXAMPLE01, and it's configured per the attached
smb.conf.  Winbind is enabled and used.  The Samba box has knowledge
of Linux users through NIS (I am only maintaining users, groups, and
passwords in NIS; not machines, etc).  I am able to see a given user's
AD group memberships as well as NIS group memberships on the Samba box
when issuing the 'groups' command.  I am mapping NIS users to AD users
with the file /etc/samba/smbusers, and using the 'net' command to map
AD groups to NIS groups.  Memberships in the AD and NIS groups are
synchronized, so the same user exists in both.  I am attempting to use
idmap backend = rid to predictably generate UID/GID mappings by
winbind across machines, for failover purposes.

EXPERIMENT: we have a brand new machine configured as described above.
 The share we are working with is called 'osxtest'.  The share begins
with no ACLs:

[root at sambatest shares]# ls -l
total 4
drwxr-xr-x 2 root root 4096 Apr 24 10:19 osxtest
[root at sambatest shares]# getfacl osxtest/
# file: osxtest
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

As an domain administrator (admbky), I wish to create a directory
called 'test' and set an acl allowing user 'testbky' rwx access to the
'test' directory.  Here's the relevant info for 'testbky':

[root at sambatest shares]# ypcat passwd | grep testbky
testbky:SOMESTRING:XXXX:XXXX:Test User:/home/testbky:/bin/bash

[root at sambatest shares]# ypcat group | grep testbky
g1019:x:20077:testbky
testbky:x:XXXX:
g2015:x:20104:testbky
domainusers:*:20011:testbky

[root at sambatest shares]# groups testbky
testbky : testbky g1019 g2015 domainusers domain users g2015 g1019 everyone

[root at sambatest shares]# cat /etc/samba/smbusers | grep testbky
testbky = EXAMPLE01\testbky

And for admbky, I am correctly mapped to root:

[root at sambatest shares]# cat /etc/samba/smbusers | grep admbky
root = administrator admin EXAMPLE01\admbky
admbky = EXAMPLE01\admbky

So, from Windows I create directory 'test' and set the ACL for 'testbky':

[root at sambatest osxtest]# pwd
/shares/osxtest
[root at sambatest osxtest]# ls -l
total 8
drwxrwxr-x+ 2 root root 4096 Apr 24 11:28 test
[root at sambatest osxtest]# getfacl test/
# file: test
# owner: root
# group: root
user::rwx
user:testbky:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:testbky:rwx
default:group::---
default:mask::rwx
default:other::---

So, testbky *should* be able to (from Windows AND Linux) manipulate
data in the directory:

[testbky at sambatest test]$ whoami
testbky
[testbky at sambatest test]$ pwd
/shares/osxtest/test
[testbky at sambatest test]$ touch test.txt
touch: cannot touch `test.txt': Permission denied

The same thing happens in Windows.  Now, I will create the same ACL
from the Linux command line:

[root at sambatest osxtest]# whoami
root
[root at sambatest osxtest]# pwd
/shares/osxtest
[root at sambatest osxtest]# getfacl test/
# file: test
# owner: root
# group: root
user::rwx
user:testbky:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:testbky:rwx
default:group::---
default:mask::rwx
default:other::---

[root at sambatest osxtest]# setfacl -m u:testbky:rwx test/
[root at sambatest osxtest]# getfacl test/
# file: test
# owner: root
# group: root
user::rwx
user:testbky:rwx
user:testbky:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:testbky:rwx
default:group::---
default:mask::rwx
default:other::---

WEIRD!  Now, I seem to have two identical ACLs for testbky.  Now
everything works fine:

[testbky at sambatest test]$ whoami
testbky
[testbky at sambatest test]$ pwd
/shares/osxtest/test
[testbky at sambatest test]$ ls
[testbky at sambatest test]$ touch test.txt
[testbky at sambatest test]$ getfacl test.txt
# file: test.txt
# owner: testbky
# group: testbky
user::rw-
user:testbky:rwx		#effective:rw-
group::---
mask::rw-
other::---

If I create a file from Windows as testbky, I see:

[testbky at sambatest test]$ ls -l
total 16
-rw-rwxr--+ 1 testbky testbky 12 Apr 24 12:32 testbky-from-windows.txt
-rw-rw----+ 1 testbky testbky 12 Apr 24 12:32 test.txt
[testbky at sambatest test]$ getfacl testbky-from-windows.txt
# file: testbky-from-windows.txt
# owner: testbky
# group: testbky
user::rw-
user:testbky:rwx
group::rw-
mask::rwx
other::r--

I will note that in Windows Explorer, if I view security on the files,
I can see both ACLs as well.  One for the UNIX user testbky and one
for the EXAMPLE01 domain user testbky at example.org.  So, that's the
problem.  Why are they being treated as different users?  Is this
normal/correct behavior?  Have I missed some fundamental configuration
that makes all this work as expected.  I *expect* that if I set an ACL
from Windows it should work *atleast* for the Windows user, from
Windows, if not for both Windows and Linux users.

I would really appreciate any insight into what I am misunderstanding,
or might have missed in terms of configuration.  Basically, where I am
with this project is: as long as I manage ACLs from Linux, everything
works great.  New files inherit the UNIX permissions, and Windows
users can interact with existing files where their UNIX permissions
allow it.  But, when I start manipulating the permissions from a
Windows tool, things don't work right.

Thanks in advance,
Brandon