[Samba] [samba] Fileserver, AD, ACLs

mathias dufresne infractory at gmail.com
Mon Sep 5 13:06:58 UTC 2016

Hi all,

Here is the smb.conf used on my test files server.
        workgroup = AD
        realm = AD.DOMAIN
        netbios name = SMBFS20

        security = ads
        client ldap sasl wrapping = seal
        ldap server require strong auth = allow_sasl_over_tls
        client use spnego = yes
        client ntlmv2 auth = yes
        client ipc signing = mandatory
        client ipc min protocol = SMB2_10
        server signing = mandatory

        kerberos method = secrets and keytab
        dedicated keytab file = /etc/smbfs20.keytab

        disable spoolss = yes
        load printers = no

        log file = /var/log/samba/%m.log
        log level = 1

        # Set to NO as we use NTFS
        acl_xattr:ignore system acls = yes
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        inherit permissions = yes

        # Important: The ranges of the default (*) idmap config
        # and the domain(s) must not overlap!

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 2-9

        # idmap config for domain AD
        idmap config AD:backend = ad
        idmap config AD:schema_mode = rfc2307
        idmap config AD:range = 2000-99999999999

        # Use settings from AD for login shell and home directory
        winbind nss info = rfc2307
        allow trusted domains = yes

        template shell = /bin/false
        winbind refresh tickets = yes
        winbind use default domain = true
        winbind offline logon = false

        # to be removed in PROD for perofrmance reasons
        winbind enum users  = yes
        winbind enum groups = yes

        log level = 1 passdb:5 winbind:5 auth:6
        syslog = 9
        syslog only = yes

#============================ Share Definitions
   path = /srv/PTA_test
   writable = yes

Using https://wiki.samba.org/index.php/Shares_with_Windows_ACLs, we would
like to create a share with Windows (extended) ACLs.

As we are using "acl_xattr:ignore system acls = yes" I initially thought
that only system rights (UGO, no ACL) are taken in account by samba to
check if it can write.
According to that forcing 777 on the share didn't same a so bad idea:
everybody can do anything but before accessing the folder itself (and UNIX
rights) Samba is there to verify who can act on these files according to
Windows ACLs.

But with this smb.conf, this share in 777, "Domain users" set in full
control on the share level and read and execute on security level, my
domain users are able to create directories.

Once I change this 777 unix mode into 770 my "Domain users" only users lost
access to the share.

Obviously we are missing something, someone has a lead to help us?

More information about the samba mailing list