[Samba] ACL wrong category user for group and group for user
Sam
sr42354 at gmail.com
Mon Sep 5 09:06:41 UTC 2016
Le 05/09/2016 à 10:23, Rowland Penny via samba a écrit :
> On Mon, 5 Sep 2016 09:38:56 +0200
> Sam via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> If I try to set acl under windows, something very strange appears.
>>
>> For instance, if I set something for the user samuel I get this with
>> the command getfacl :
>> default:_*group*_:samuel.ruet:r-x
>>
>> And if I set something for the group sa-si I get this :
>> default:_*use*_r:sa-si:r-x
>>
>> Under windows all seems good...
>>
>> I recently change idmap config... ( add rid backend )
>>
>> Here is my smb.conf :
>>
>> [global]
>> workgroup = ARIANE
>> security = ADS
>> realm = ARIANE.INTRA
>>
>> netbios name = Samba4
>> domain master = no
>> host msdfs = no
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> client signing = if_required
>>
>> ## map id's outside to domain to tdb files.
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>> # idmap config for domain ARIANE
>> idmap config ARIANE:backend = rid
>> idmap config ARIANE:range = 10000-99999
>>
>> ## map ids from the domain the range may not overlap !
>> #idmap config INTERNAL:backend = ad
>> #idmap config INTERNAL:schema_mode = rfc2307
>> #idmap config INTERNAL:range = 50001-80000
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = yes
>> winbind offline logon = yes
>>
>> wins server = 172.20.2.2, 172.20.2.3
>>
>> template shell = /bin/bash
>> template homedir = /home/samba/ARIANE/users/%USERNAME%
>>
>> # user Administrator workaround, without it you are unable to set
>> privileges
>> username map = /etc/samba/samba_usermapping
>>
>> # For ACL support on member server
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> # Share Setting Globally
>> usershare allow guests = no
>> unix extensions = no
>> wide links = no
>> reset on zero vc = yes
>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>> hide unreadable = yes
>>
>> # disable printing completely
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> [home]
>> path = /home/samba/ARIANE/users
>> read only = no
>>
>> [profiles$]
>> path = /home/samba/ARIANE/profiles
>> read only = no
>> admin users = +"ARIANE\Admins du domaine"
>> profile acls = yes
>> csc policy = disable
>>
>> [data]
>> path = /home/samba/ARIANE/companydata
>> read only = no
>>
>> [software]
>> path = /home/samba/software
>> read only = no
>>
>> [test]
>> path = /Fichiers/test
>> read only = no
>>
>> Thanks.
>>
>> Samuel
>>
> There doesn't seem to be anything wrong with your smb.conf. There are
> only two reasons for your problem that I can think of, you are running
> the commands on your DC where an AD user can also be a group and
> vica-versa. Or you have local users in AD and /etc/passwd
> and /etc/group (the last one being a Unix private group).
>
> Rowland
>
>
Hello Rowland!
Under my AD server I don't see any local user present in AD, in passwd
and group files.
So the first part seems to be the answer...but if I test with another
samba I have (a very old samba 3.0.33 with security = ADS )
The user goes well in the user category and the group in the group category.
user:ARIANE+samuel.ruet:r-x
group:ARIANE+sa-si:r-x
for info this is the old server global section :
[global]
workgroup = ARIANE
realm = ARIANE.INTRA
netbios aliases = SAMBA
server string = serveur samba3
security = ADS
username map = /etc/samba/smbusers
log level = 0
syslog = 0
log file = /var/log/samba/%m
max log size = 50
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
comment = autre
path = /Samba
read only = No
create mask = 0770
directory mask = 0770
Thanks.
Samuel
More information about the samba
mailing list