[Samba] ACL wrong category user for group and group for user

Sam sr42354 at gmail.com
Mon Sep 5 07:38:56 UTC 2016


If I try to set acl under windows, something very strange appears.

For instance, if I set something for the user samuel I get this with the 
command getfacl :

And if I set something for the group sa-si I get this :

Under windows all seems good...

I recently change idmap config... ( add rid backend )

Here is my smb.conf :

    workgroup = ARIANE
    security = ADS
    realm = ARIANE.INTRA

    netbios name = Samba4
    domain master = no
    host msdfs = no

       dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    client signing = if_required

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    # idmap config for domain ARIANE
    idmap config ARIANE:backend = rid
    idmap config ARIANE:range = 10000-99999

    ## map ids from the domain  the range may not overlap !
    #idmap config INTERNAL:backend = ad
    #idmap config INTERNAL:schema_mode = rfc2307
    #idmap config INTERNAL:range = 50001-80000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind refresh tickets = yes
    winbind offline logon = yes

    wins server =,

    template shell = /bin/bash
    template homedir = /home/samba/ARIANE/users/%USERNAME%

    # user Administrator workaround, without it you are unable to set 
    username map = /etc/samba/samba_usermapping

    # For ACL support on member server
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    usershare allow guests = no
    unix extensions = no
    wide links = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    path = /home/samba/ARIANE/users
    read only = no

    path = /home/samba/ARIANE/profiles
    read only = no
    admin users = +"ARIANE\Admins du domaine"
    profile acls = yes
    csc policy = disable

    path = /home/samba/ARIANE/companydata
    read only = no

    path = /home/samba/software
    read only = no

    path = /Fichiers/test
    read only = no



More information about the samba mailing list