[Samba] ACL wrong category user for group and group for user

Sam sr42354 at gmail.com
Mon Sep 5 09:46:54 UTC 2016 

Here is the smb.conf from the AD :

do I need to enable the undelined part?

Thanks!

# Global parameters
[global]
         workgroup = ARIANE
         realm = ariane.intra
         netbios name = S4
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate

         ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
         ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
         sdb:schema update allowed = no

         ## Dont forget to set the idmap_ldb on ALL DC's if you use it
         idmap_ldb:use rfc2307 = yes

         #when using idmap backend RID enable these
          #_template shell = /bin/sh_
         template homedir = /home/users/%ACCOUNTNAME%

         winbind nss info = rfc2307
         winbind use default domain = yes
         winbind max clients = 3000

         interfaces = 127.0.0.1 172.20.2.2
         bind interfaces only = yes
         time server = yes
         wins support = yes

         # Disable printing completely
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

  kerberos method = system keytab

## Temporaire, niveau de log 10 maximal
#syslog = 10

#log level =0 winbind:3

[netlogon]
         path = /var/lib/samba/sysvol/ariane.intra/scripts
         read only = No
         acl_xattr:ignore system acl = yes

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
         acl_xattr:ignore system acl = yes


Le 05/09/2016 à 10:23, Rowland Penny via samba a écrit :
> On Mon, 5 Sep 2016 09:38:56 +0200
> Sam via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> If I try to set acl under windows, something very strange appears.
>>
>> For instance, if I set something for the user samuel I get this with
>> the command getfacl :
>> default:_*group*_:samuel.ruet:r-x
>>
>> And if I set something for the group sa-si I get this :
>> default:_*use*_r:sa-si:r-x
>>
>> Under windows all seems good...
>>
>> I recently change idmap config... ( add rid backend )
>>
>> Here is my smb.conf :
>>
>> [global]
>>      workgroup = ARIANE
>>      security = ADS
>>      realm = ARIANE.INTRA
>>
>>      netbios name = Samba4
>>      domain master = no
>>      host msdfs = no
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>      kerberos method = secrets and keytab
>>      client signing = if_required
>>
>>      ## map id's outside to domain to tdb files.
>>      idmap config *:backend = tdb
>>      idmap config *:range = 2000-9999
>>
>>      # idmap config for domain ARIANE
>>      idmap config ARIANE:backend = rid
>>      idmap config ARIANE:range = 10000-99999
>>
>>      ## map ids from the domain  the range may not overlap !
>>      #idmap config INTERNAL:backend = ad
>>      #idmap config INTERNAL:schema_mode = rfc2307
>>      #idmap config INTERNAL:range = 50001-80000
>>
>>      winbind nss info = rfc2307
>>      winbind trusted domains only = no
>>      winbind use default domain = yes
>>      winbind enum users  = yes
>>      winbind enum groups = yes
>>      winbind refresh tickets = yes
>>      winbind offline logon = yes
>>
>>      wins server = 172.20.2.2, 172.20.2.3
>>
>>      template shell = /bin/bash
>>      template homedir = /home/samba/ARIANE/users/%USERNAME%
>>
>>      # user Administrator workaround, without it you are unable to set
>> privileges
>>      username map = /etc/samba/samba_usermapping
>>
>>      # For ACL support on member server
>>      vfs objects = acl_xattr
>>      map acl inherit = Yes
>>      store dos attributes = Yes
>>
>>      # Share Setting Globally
>>      usershare allow guests = no
>>      unix extensions = no
>>      wide links = no
>>      reset on zero vc = yes
>>      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>      hide unreadable = yes
>>
>>      # disable printing completely
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [home]
>>      path = /home/samba/ARIANE/users
>>      read only = no
>>
>> [profiles$]
>>      path = /home/samba/ARIANE/profiles
>>      read only = no
>>      admin users = +"ARIANE\Admins du domaine"
>>      profile acls = yes
>>      csc policy = disable
>>
>> [data]
>>      path = /home/samba/ARIANE/companydata
>>      read only = no
>>
>> [software]
>>      path = /home/samba/software
>>      read only = no
>>
>> [test]
>>      path = /Fichiers/test
>>      read only = no
>>
>> Thanks.
>>
>> Samuel
>>
> There doesn't seem to be anything wrong with your smb.conf. There are
> only two reasons for your problem that I can think of, you are running
> the commands on your DC where an AD user can also be a group and
> vica-versa. Or you have local users in AD and /etc/passwd
> and /etc/group (the last one being a Unix private group).
>
> Rowland
>   
>

More information about the samba mailing list