[Samba] Mac OS X and ACL's

David Thompson david at digitaltransitions.ca
Tue Feb 2 20:13:09 UTC 2016

Hi all,

I have a server that has ACL's enabled on it and the groups are set properly from the domain that are applied on top of it for the shared folders. I am running with Mac OS X 10.10.5 on the client side and am having nothing but issues with getting them to respect the ACL's set on the files.

The Server Setup is as follows:

Domain Server: Debian 7.9 with Samba 4.3.4

Member Server:
   Debian 7.9 with Samba 4.3.4
   SSSD - Version 1.8.4

Here is the output of my smb.conf file:

[global]   netbios name = fs    workgroup = AUTH    security = ADS   realm = AUTH.DOMAIN.COM    dedicated keytab file = /etc/krb5.keytab   kerberos method = secrets and keytab   idmap config *:backend = tdb   idmap config *:range = 2000-9999   idmap config AUTH:backend = ad    idmap config AUTH:schema_mode = rfc2307   idmap config AUTH:range = 10000-99999   winbind nss info = rfc2307   winbind trusted domains only = no   winbind use default domain = yes   winbind enum users  = yes   winbind enum groups = yes   winbind refresh tickets = Yes   winbind cache time = 40 #  vfs objects = acl_xattr   map acl inherit = Yes   store dos attributes = Yes   username map = /etc/samba/user_map   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536   unix extensions = no    [Groups]   path = /Groups   guest ok = yes   browseable = yes   writeable = yes   read only = no   admin users = "Domain Admins"   inherit permissions = Yes   inherit acls = Yes 


Here is the output of my sssd.conf file


[sssd] services = nss, pam config_file_version = 2 domains = default [nss]   [pam] [domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://dc01.auth.domain.com ldap_search_base = dc=auth,dc=domain,dc=com ldap_force_upper_case_realm = true # See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad # Enumeration is discouraged for performance reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = dc01$@AUTH.DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_group_object_class = group 


Here is the getfacl on my Folder that I'm trying to get to respect ACL's on for the Macs:

getfacl /Groups/Digital\ Magazine/
getfacl: Removing leading '/' from absolute path names
# file: Groups/Digital Magazine/
# owner: root
# group: DigiMag


As you can see, the group: DigiMag has rwx on the folder.

However when I create a file, the settings get changed to the group "DigiMag" as only having r-- access on the file

root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx  # file: ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx user:Administrator:r-- user:ftester:rwx group::r-- group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r-- 


This also happens if I set an ACL on the file and give explicit access for the users. If I have 2 users (ftester, and zeddy) and give them full rwx access to the file(s), as soon as one of them opens up the files and saves it the ACL is over written and only the first user to open and save the files then has access to it. They take over ownership of the file(s) as well as change the access to the files to be r-- for both the group (DigiMag) and the user (zeddy)

root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx  # file: ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx user:Administrator:r-- user:ftester:rwx user:zeddy:r-- group::r-- group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r-- 

The Macs are all Mac OS X 10.10.5 and newer, are all bound to the Domain, and all logon to the domain with a username. If I do an ID on a user, it shows the proper groups that they are a part of, from both the linux server and the mac server. I am using the UNIX extensions and it all seems to work fine.

id ftester uid=333345(ftester) gid=20023(Domain Users) groups=20023(Domain Users),20003(Adv_Art),20021(web),20012(MandD),20008(DigiMag),20004(circ)

uid=333346(zeddy) gid=20023(Domain Users) groups=20023(Domain Users),20012(MandD),20008(DigiMag) 


Everything seemingly works as far as I can tell. I can run a kinit and it works fine, When I login on a mac as a network based user, I get my proper kerberos tickets and access to the folders that I'm supposed to have access to based on my groups in Samba DC.

I can't for the life of me figure out how I can get the file shares to give full access rwx to the files on the server.

If someone could please please help me out, I would greatly appreciate it and will provide any information that you I might have missed. 
Thank you for your time,



More information about the samba mailing list