[Samba] Samba, ACLs and an ADS domain.

[Thomas Gallen]

G'day all,

One thing to note before I begin, if you think this e-mail should be targeted at the linux-cifs folks (or anywhere else for that matter) and not the samba general mailing list, please feel free to tell me.

I've been running our fileserver for a while without ACLs and off the ADS domain so that my boss, a few employees and I could access backups and share project files. After a recent hardware upgrade we've decided to get on the ADS domain and make proper use of ACLs. I have Samba set up, joined the domain and have set up (what I thought was) proper ACLs. I've tested to make sure that ADS domain users can log in and access files without problem through SSH (at least until I figure this out). However, Samba (or perhaps it's the Linux CIFS client) seems to ignore ACL permissions when it comes to determining file access.

If I use an ADS domain user and/or group for non-ACL (Unix) permissions, I can authenticate as that user and access files just fine. However, when I move file ownership to a local user and add ADS domain users/groups to the ACLs instead, authentication is successful as one of those ADS domain users, but the client will generally deny me permission due to insufficient permissions.

If this is indeed a Samba issue then I'll be happy to post my config files. I've encountered this with both Samba 3.4.6 (on Gentoo) and 3.5.3 (on Fedora 13). If it's not a Samba issue, could someone perhaps confirm or deny that my problems are related to the issue being discussed at: http://patchwork.ozlabs.org/patch/47002/

Thanks,
Thomas