[Samba] File Server member DC ACL permissions

Ricardo Pardim Claus ricardo.claus at yahoo.com.br
Thu Aug 11 18:39:14 UTC 2016

Dear Rowland, 

This Samba 4 domain was not provisioned from scratch. 
Here in the company we had a DC Windows 2008. The Samba was provided to secondary DC. 
Then, the primary DC remains Windows, but will be removed this weekend. Samba DC will be the primary DC. 
In the file server file krb5.conf, I informed the KDC servers pointing to the Samba DC. 

Follows the smb.conf my DC Samba 4:

# Global parameters 
#bind interfaces only = Yes 
interfaces = lo eth0 
netbios name = SRV14 
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
workgroup = DOMAIN 
server role = active directory domain controller 
comment = 
log file = /var/log/samba/%m.log 
log level = 1 
idmap_ldb:use rfc2307 = yes 

path = /usr/local/samba/var/locks/sysvol/lojacorr.local/scripts 
read only = No 

path = /usr/local/samba/var/locks/sysvol 
read only = No 

> How have you set the libnss_winbind links ?

I set the links to libnss_winbind this: 
My system is a Centos 7 x86_64:

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so 
# ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so2# ldconfig 

Now I can see the id of the User, with the command:
# wbinfo -i iuser 

Follow the file server smb.conf:

# Global parameters 
netbios name = SRV16 
server string = Samba4 Server 
security = ADS 
encrypt passwords = yes 
realm = lojacorr.local 
workgroup = DOMAIN 
log file = /var/log/samba/%m.log 
log level = 1 
winbind enum users = yes 
winbind enum groups = yes 
winbind use default domain = Yes 
winbind nss info = RFC2307 
#idmap_ldb: Use 
vfs objects = acl_xattr 
map acl inherit = Yes 
store dos attributes = Yes 
# Idmap config for domain DOMAIN 
idmap config DOMAIN: backend = ad 
idmap config DOMAIN: schema_mode = RFC2307 
idmap config DOMAIN: range = 10000-99999 
guest account = guest 

comment = Folder data 
path = /mnt/dados 
read only = No 
browseable = yes 
inherit acls = Yes 
inherit permissions = Yes
guest account = guest 
guest ok=yes 

Follow the file server nsswitch.conf:

passwd:     files winbind 
shadow:     files 
group:      files winbind 

hosts:      files dns 
bootparams: nisplus [NOTFOUND=return] files 
ethers:     files 
netmasks:   files 
networks:   files 
protocols:  files 
rpc:        files 
services:   files 
netgroup:   files 
publickey:  nisplus 
automount:  files 
aliases:    files nisplus 

I configured this permission for SeDiskOperatorPrivilege: 
# net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'domain\administrator'

When I try to set the permissions via shell, I get the same error:

# setfacl -R -m g:"Domain Admins":rwx /mnt/dados 

setfacl: /mnt/dados: Malformed access ACL `user::rwx,group::r-x,mask::rwx,other::r-x,group:4294967295:rwx': Missing or wrong entry at entry 5 

The disc I am sharing was formatted with XFS file system.
Still denied access when trying to set permissions on the shared folder.

More information about the samba mailing list