[Samba] [samba] Fileserver, AD, ACLs
Rowland Penny
rpenny at samba.org
Mon Sep 5 14:38:02 UTC 2016
On Mon, 5 Sep 2016 15:06:58 +0200
mathias dufresne via samba <samba at lists.samba.org> wrote:
> Hi all,
>
> Here is the smb.conf used on my test files server.
> _________________________________________________________________________
> [global]
> workgroup = AD
> realm = AD.DOMAIN
> netbios name = SMBFS20
>
> security = ads
> client ldap sasl wrapping = seal
> ldap server require strong auth = allow_sasl_over_tls
> client use spnego = yes
> client ntlmv2 auth = yes
> client ipc signing = mandatory
> client ipc min protocol = SMB2_10
> server signing = mandatory
>
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/smbfs20.keytab
>
> disable spoolss = yes
> load printers = no
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # Set to NO as we use NTFS
> acl_xattr:ignore system acls = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> inherit permissions = yes
>
> # Important: The ranges of the default (*) idmap config
> # and the domain(s) must not overlap!
>
> # Default idmap config used for BUILTIN and local
> accounts/groups idmap config *:backend = tdb
> idmap config *:range = 2-9
>
> # idmap config for domain AD
> idmap config AD:backend = ad
> idmap config AD:schema_mode = rfc2307
> idmap config AD:range = 2000-99999999999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
> allow trusted domains = yes
>
> template shell = /bin/false
> winbind refresh tickets = yes
> winbind use default domain = true
> winbind offline logon = false
>
> # to be removed in PROD for perofrmance reasons
> winbind enum users = yes
> winbind enum groups = yes
>
> log level = 1 passdb:5 winbind:5 auth:6
> syslog = 9
> syslog only = yes
>
> #============================ Share Definitions
> ==============================
> [PTA_test]
> path = /srv/PTA_test
> writable = yes
> _________________________________________________________________________
>
> Using https://wiki.samba.org/index.php/Shares_with_Windows_ACLs, we
> would like to create a share with Windows (extended) ACLs.
>
> As we are using "acl_xattr:ignore system acls = yes" I initially
> thought that only system rights (UGO, no ACL) are taken in account by
> samba to check if it can write.
> According to that forcing 777 on the share didn't same a so bad idea:
> everybody can do anything but before accessing the folder itself (and
> UNIX rights) Samba is there to verify who can act on these files
> according to Windows ACLs.
>
> But with this smb.conf, this share in 777, "Domain users" set in full
> control on the share level and read and execute on security level, my
> domain users are able to create directories.
>
> Once I change this 777 unix mode into 770 my "Domain users" only
> users lost access to the share.
>
> Obviously we are missing something, someone has a lead to help us?
There appears to be a problem, see here:
https://lists.samba.org/archive/samba-technical/2016-August/115779.html
There doesn't seem to be a great problem with your smb.conf, but I am a
bit puzzled about one part of it:
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2-9
How do you get all the well-know SIDs into 8 IDs ? and what about the
Unix local users & groups that use those IDs ?
Rowland
More information about the samba
mailing list