[Samba] ACL wrong category user for group and group for user

Rowland Penny rpenny at samba.org
Mon Sep 5 08:23:41 UTC 2016 

On Mon, 5 Sep 2016 09:38:56 +0200
Sam via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> If I try to set acl under windows, something very strange appears.
> 
> For instance, if I set something for the user samuel I get this with
> the command getfacl :
> default:_*group*_:samuel.ruet:r-x
> 
> And if I set something for the group sa-si I get this :
> default:_*use*_r:sa-si:r-x
> 
> Under windows all seems good...
> 
> I recently change idmap config... ( add rid backend )
> 
> Here is my smb.conf :
> 
> [global]
>     workgroup = ARIANE
>     security = ADS
>     realm = ARIANE.INTRA
> 
>     netbios name = Samba4
>     domain master = no
>     host msdfs = no
> 
>        dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     client signing = if_required
> 
>     ## map id's outside to domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
> 
>     # idmap config for domain ARIANE
>     idmap config ARIANE:backend = rid
>     idmap config ARIANE:range = 10000-99999
> 
>     ## map ids from the domain  the range may not overlap !
>     #idmap config INTERNAL:backend = ad
>     #idmap config INTERNAL:schema_mode = rfc2307
>     #idmap config INTERNAL:range = 50001-80000
> 
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     winbind refresh tickets = yes
>     winbind offline logon = yes
> 
>     wins server = 172.20.2.2, 172.20.2.3
> 
>     template shell = /bin/bash
>     template homedir = /home/samba/ARIANE/users/%USERNAME%
> 
>     # user Administrator workaround, without it you are unable to set 
> privileges
>     username map = /etc/samba/samba_usermapping
> 
>     # For ACL support on member server
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> 
>     # Share Setting Globally
>     usershare allow guests = no
>     unix extensions = no
>     wide links = no
>     reset on zero vc = yes
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
> 
>     # disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> [home]
>     path = /home/samba/ARIANE/users
>     read only = no
> 
> [profiles$]
>     path = /home/samba/ARIANE/profiles
>     read only = no
>     admin users = +"ARIANE\Admins du domaine"
>     profile acls = yes
>     csc policy = disable
> 
> [data]
>     path = /home/samba/ARIANE/companydata
>     read only = no
> 
> [software]
>     path = /home/samba/software
>     read only = no
> 
> [test]
>     path = /Fichiers/test
>     read only = no
> 
> Thanks.
> 
> Samuel
> 

There doesn't seem to be anything wrong with your smb.conf. There are
only two reasons for your problem that I can think of, you are running
the commands on your DC where an AD user can also be a group and
vica-versa. Or you have local users in AD and /etc/passwd
and /etc/group (the last one being a Unix private group).

Rowland

More information about the samba mailing list