[Samba] ACL wrong category user for group and group for user
Rowland Penny
rpenny at samba.org
Mon Sep 5 08:23:41 UTC 2016
On Mon, 5 Sep 2016 09:38:56 +0200
Sam via samba <samba at lists.samba.org> wrote:
> Hello,
>
> If I try to set acl under windows, something very strange appears.
>
> For instance, if I set something for the user samuel I get this with
> the command getfacl :
> default:_*group*_:samuel.ruet:r-x
>
> And if I set something for the group sa-si I get this :
> default:_*use*_r:sa-si:r-x
>
> Under windows all seems good...
>
> I recently change idmap config... ( add rid backend )
>
> Here is my smb.conf :
>
> [global]
> workgroup = ARIANE
> security = ADS
> realm = ARIANE.INTRA
>
> netbios name = Samba4
> domain master = no
> host msdfs = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain ARIANE
> idmap config ARIANE:backend = rid
> idmap config ARIANE:range = 10000-99999
>
> ## map ids from the domain the range may not overlap !
> #idmap config INTERNAL:backend = ad
> #idmap config INTERNAL:schema_mode = rfc2307
> #idmap config INTERNAL:range = 50001-80000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
>
> wins server = 172.20.2.2, 172.20.2.3
>
> template shell = /bin/bash
> template homedir = /home/samba/ARIANE/users/%USERNAME%
>
> # user Administrator workaround, without it you are unable to set
> privileges
> username map = /etc/samba/samba_usermapping
>
> # For ACL support on member server
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> # Share Setting Globally
> usershare allow guests = no
> unix extensions = no
> wide links = no
> reset on zero vc = yes
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> # disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> [home]
> path = /home/samba/ARIANE/users
> read only = no
>
> [profiles$]
> path = /home/samba/ARIANE/profiles
> read only = no
> admin users = +"ARIANE\Admins du domaine"
> profile acls = yes
> csc policy = disable
>
> [data]
> path = /home/samba/ARIANE/companydata
> read only = no
>
> [software]
> path = /home/samba/software
> read only = no
>
> [test]
> path = /Fichiers/test
> read only = no
>
> Thanks.
>
> Samuel
>
There doesn't seem to be anything wrong with your smb.conf. There are
only two reasons for your problem that I can think of, you are running
the commands on your DC where an AD user can also be a group and
vica-versa. Or you have local users in AD and /etc/passwd
and /etc/group (the last one being a Unix private group).
Rowland
More information about the samba
mailing list