[Samba] File Server member DC ACL permissions

Ricardo Pardim Claus ricardo.claus at yahoo.com.br
Wed Aug 10 19:47:05 UTC 2016

I will choose to use the winbind. 
Based on the link that Rowland said: 

https://wiki.samba.org /index.php/Setup_Samba_as_an_AD_Domain_Member 

I followed the steps as described in the tutorial. 

I created symlinks. 

In the main DC I added this line in smb.conf: 

idmap_ldb: use RFC2307 = yes 

Changed /etc/nsswitch.conf 

passwd: files winbind 
shadow: files 
group: files winbind 

hosts: files dns 
bootparams: nisplus [NOTFOUND = return] files 
ethers: files 
netmasks: files 
networks: files 
protocols: files 
rpc: files 
services: files 
netgroup: files winbind 
publickey: nisplus 
automount: files 
aliases: files nisplus 

My smb.conf: 

# Global parameters 
        netbios name = SRV16 
        server string = Samba4 Server 
        security = ADS 
        encrypt passwords = yes 
        realm = domain.local 
        workgroup = DOMAIN 
        log file = /var/log/samba/%m.log 
        log level = 1 
        winbind enum users = yes 
        winbind enum groups = yes 
        winbind use default domain = Yes 
        winbind nss info = RFC2307 
        #idmap_ldb: Use 
        vfs objects = acl_xattr 
        map acl inherit = Yes 
        store the attributes = Yes 
        # Idmap config for domain DOMAIN 
       idmap config DOMAIN: backend = ad 
       idmap config DOMAIN: schema_mode = RFC2307 
       idmap config DOMAIN: 10000-99999 range = 

        comment = Folder data 
        path = / mnt / data 
        read only = No 
        browseable = yes 
        inherit acls = Yes 
        inherit permissions = Yes 

I can view the groups and users of AD. 
The "kinit administrator" is working very well.When I try to see the ID of a User, it does not return anything. 
Also can not give permission through the shell of the file server, or through a Windows host, when logged in as domain admin.

# setfacl -R -m g:"Domain Admins":rwx /mnt/dados 
setfacl: /mnt/dados: Malformed access ACL `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx': Missing or wrong entry at entry 5 
setfacl: /mnt/dados/teste: Malformed access ACL `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx': Missing or wrong entry at entry 5

# ldconfig -v | grep winbind 
ldconfig: Can not stat / libx32: not directory or file found 
ldconfig: Path / usr / lib 'Given more than once 
ldconfig: Path / usr / lib64 'Given more than once 
ldconfig: Can not stat / usr / libx32: not directory or file found 
        libnss_winbind.so.2 -> libnss_winbind.so2

Could someone give me any tips on how to solve this problem?

More information about the samba mailing list