[Samba] Samba AD domain member with SSSD: ACL not work

Dario Lesca d.lesca at solinos.it
Tue Feb 14 15:57:24 UTC 2017 

On a Centos 7 minimal fresh install and samba 4.4.4 I have follow this
howto:

http://www.hexblot.com/blog/centos-7-active-directory-and-samba

and I have Joining to an Active Directory server and login to it with
domain user without problem.

My problem occur when I try from windows to modify some new rights
(ACL's) to new folder on samba share.

The folder is created correctly but if I add some groups or setup ACL's
I get this error log and the new ACL's is not saved:

> feb 14 12:07:42 samba-dati.srl.local smbd[1178]: [2017/02/14 12:07:42.149812,  0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> feb 14 12:07:42 samba-dati.srl.local smbd[1178]:   create_canon_ace_lists: unable to map SID S-1-5-21-347198863-3916504048-2821235790-1213 to uid or gid.

This is my testparm -s (smb.conf):

> Server role: ROLE_DOMAIN_MEMBER
>  
> [global]
>         realm = SRL.LOCAL
>         workgroup = SRL
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         client signing = if_required
>         security = ADS
>         idmap config srl:range = 200000-399999
>         idmap config srl:backend = nss
>         idmap config *:range = 70001-80000
>         idmap config * : backend = tdb
>         cups options = raw
>         hosts allow = 127. 192.168.1.
> 
> [dati]  
>         comment = Cartella Dati x tutti
>         path = /u/samba/dati
>         create mask = 0664
>         directory mask = 0775

This is my sssd.conf

> #
> [sssd]  
> domains = srl.local
> config_file_version = 2
> services = nss, pam 
> 
> [domain/srl.local]
> ad_domain = srl.local
> krb5_realm = SRL.LOCAL
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> # use_fully_qualified_names = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%u@%d
> # fallback_homedir = /home/%u
> access_provider = ad
> 

I have try some modify to smb.conf without success an now the ACLs
still not work.

Any help will be appreciated

Many Thanks
 
-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

More information about the samba mailing list