[Samba] SMB_ACL_GROUP SMB_ACL_USER

[Frédéric POUGNAULT]

Hello,

 
I installed a samba server v 4.6.6, 

I use samba in classic mode (in /etc/default/sernet-samba).

Samba is a member of a Windows server 2003 R2 domain.

 
Here is my smb.conf :

 
[global]

use sendfile = no

gpfs:getrealfilename = no

smb ports = 445 139

dos charset = 850

unix charset = UTF-8

interfaces = eth0

bind interfaces only = true

workgroup = MYREALM

passdb backend = tdbsam

os level = 2

time server = yes

unix extensions = yes

encrypt passwords = yes

log level = 0 acls:10

max protocol = SMB2

posix locking = no

load printers = no

name resolve order = wins host lmhosts bcast

security = ADS

password server = MyPasswordServer

realm = MYREALM.COM

netbios name = DATA30

winbind separator = +

winbind cache time = 15

winbind use default domain = yes

winbind enum users = yes

winbind enum groups = yes

template homedir = /home%U

template shell = /bin/bash

logon path = \\server\%U

unix password sync = Yes

passwd program = /usr/bin/passwd %u

passwd chat = *New*password* %n\n *Retype*new*password* %n\n *password:*all*authentication*tokens*updated*successfully

Pam password change = yes

client ntlmv2 auth = yes

host msdfs = yes

obey pam restrictions = Yes

wins support = no

wins server = MYWINS

public = yes

browseable = yes

lm announce = yes

browse list = yes

auto services = yes

remote browse sync = MyRemoteBrowseSync

remote announce = X.X.X.0/24

server string =

inherit acls = yes

map acl inherit = yes

nt acl support = yes

inherit permissions = no

enhanced browsing = yes

winbind use default domain = yes

getwd cache = yes

wide links = no

 
include = /etc/samba/smb.conf.%m

 
idmap config MYREALM : backend = rid

idmap config MYREALM : range = 60000-50000000

idmap config MYREALM : base_rid = 0

 
idmap config * : range = 20000-30000

 
nmbd bind explicit broadcast = no

 
[MyShare]

   comment =

   path = /home/fred

   valid users = @MYREALM+FREDGROUP

   public = no

   writable = yes

   printable = no

   browsable = yes

   preserve case = yes

   short preserve case = yes

   default case = lower

   case sensitive = no

   msdfs root = yes

   create mask = 770

   force create mode = 670

   force directory mode = 770

   directory mask = 770

   store dos attributes = yes

   force group = root

 
Here is the ACL on the directory /home/fred

 
user::rwx

group::rwx

group:fredgroup:rwx

mask::rwx

other::---

default:user::rwx

default:group::rwx

default:group:fredgroup:rwx

default:mask::rwx

default:other::---

  

I created a share named "MyShare" where member of domain group FREDGROUP can read and write files and directories.

 
Now I have user fpt, he is a member of group FREDGROUP and he create a directory name "TEST" in the share MyShare. 

Here is the ACL on the TEST directory :

 
# file: /home/fred/TEST/

# owner: fpt

# group: root

# flags: -s-

user::rwx

user:67022:r-x

group::rwx

group:root:rwx

group:FREDGROUP:r-x

group:fpt:rwx

mask::rwx

other::---

default:user::rwx

default:user:67022:r-x

default:user:fpt:rwx

default:group::rwx

default:group:root:rwx

default:group:FREDGROUP:r-x

default:mask::rwx

default:other::---

 
I don't understand why I have a user with uid 67022.

67022 is the gid of group FREDGROUP, I have no user with this uid in the domain.

I don't understand why I have a fpt group, there is no fpt group in the domain.

 
When I activated the log acl:10 in smb.conf I saw this line :

 
canon_ace index 2. Type = allow SID = S-1-5-21-175208659-1627204559-885930912-7022 gid 67022 SMB_ACL_GROUP ace_flags = 0x0 perms r-x

canon_ace index 5. Type = allow SID = S-1-5-21-175208659-1627204559-885930912-7022 uid 67022 SMB_ACL_USER ace_flags = 0x3 perms r-x

 
Its seems samba didn't do difference between users and groups when he sets acl right on the directory.