[Samba] Samba 4 with sssd - primary Windows group membership not honored

Rowland penny rpenny at samba.org
Wed Mar 23 20:38:39 UTC 2016

On 23/03/16 20:16, Joseph Dickson wrote:
>> OK, you should use the standard 'rwx' permissions *or* ACLs, not both. If
>> you create a directory on Unix that you want to share, set the owner:group
>> to root:'Domain Admins' and permissions to 0770. You will then be able to
>> set the permissions from windows or with setfacl on the Unix machine, you
>> do not need the 'force group' lines in smb.conf, there is a wiki page for
>> this, see here:
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> I've tried following this page, and have not managed to have any luck.  I
> even figured out the new syntax to add SeDiskOperatorPrivilege (net sam as
> opposed to net rpc.. at least that's the command that ended up working..
> net rpc always returned permission denied)
> As soon as I try to set the Windows ACLs, I lose access to the folder
> unless I'm defined as an admin user.  The first step that I try to do is to
> set the root share permissions, and I remove everything except a full
> control entry for Domain Admins (the domain group, not the Unix
> Group\Domain Admins that it shows up with by default -- I remove that
> one).  As soon as I hit OK, I lose access to the share.
> On a Domain member you do not need sssd, winbind will do everything that
>> sssd does, but on an AD DC it is a bit different, winbind there ignores all
>> the RFC2307 attributes except for uidNumber & gidNumber.
> I will try setting up a test server that uses winbind for nss instead of
> sssd, but it doesn't seem like that's the problem as wbinfo and sssd (via
> getent) are returning the same UID/GID numbers.  I don't have uid/gid
> attributes added to my active directory schema, so it's using the
> algorithmic method of computing them based on SID..
> Samba only recommends using winbind, sssd is not supplied or supported by
>> Samba.
>> I don't know if you have read the Samba wiki pages, there is a lot of info
>> about using Samba, it starts here:
>> https://wiki.samba.org/index.php/Main_Page
> Yes I've definitely spent quite a bit of time looking through the wiki
> pages and other documentation sources.. unfortunately many times they
> haven't been updated for new command syntaxes, and there is very little
> information that digs into what's going on behind the scenes so it's pretty
> tough to connect the dots yourself.
> What I'm trying to achieve is as close to a drop in replacement for an MS
> fileserver as possible -- all access managed by NT ACLs rather than posix.
> I'm unclear how I can get this functionality without being forced to allow
> world writeable at the posix level...
> I'll work on creating a setup without sssd and see if the results vary, but
> it doesn't feel like that's the issue..
> --
> *Joseph Dickson*
> Director of IT Systems, Evolve Tele-Services, Inc.

Can you check if this file exists:



More information about the samba mailing list