[Samba] SMB_ACL_GROUP SMB_ACL_USER

Rowland Penny rpenny at samba.org
Tue Jun 13 14:47:46 UTC 2017 

On Tue, 13 Jun 2017 15:17:47 +0200
Frédéric POUGNAULT via samba <samba at lists.samba.org> wrote:

> I installed a samba server v 4.6.6, 

Where did you get 4.6.6 from ?
The latest stable release is 4.6.5

> 
> I use samba in classic mode (in /etc/default/sernet-samba).

No you are not, you have a Samba domain member.

> 
> Samba is a member of a Windows server 2003 R2 domain.
> 
>  
> Here is my smb.conf :

Whilst there are things that I would change in your smb.conf, it should
work correctly. The only line I would highlight is this:

unix password sync = Yes

You cannot have the same user in AD and /etc/passwd, so why do you have
this line ?

> 
> I created a share named "MyShare" where member of domain group
> FREDGROUP can read and write files and directories.
> 
>  
> Now I have user fpt, he is a member of group FREDGROUP and he create
> a directory name "TEST" in the share MyShare. 
> 
> Here is the ACL on the TEST directory :
> 
>  
> # file: /home/fred/TEST/
> # owner: fpt
> # group: root
> # flags: -s-
> user::rwx
> user:67022:r-x
> group::rwx
> group:root:rwx
> group:FREDGROUP:r-x
> group:fpt:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:67022:r-x
> default:user:fpt:rwx
> default:group::rwx
> default:group:root:rwx
> default:group:FREDGROUP:r-x
> default:mask::rwx
> default:other::---
>  
> I don't understand why I have a user with uid 67022.
> 
> 67022 is the gid of group FREDGROUP, I have no user with this uid in
> the domain.

How do you know ?
You are using the winbind 'rid' backend and this will allocated ID's
automatically from a simple calculation using the RID:

ID = RID - BASE_RID + LOW_RANGE_ID

Or using your figures:
67022 = RID - 0 + 60000

The RID must be:

RID = 67022 - 60000
RID = 7022

> 
> I don't understand why I have a fpt group, there is no fpt group in
> the domain.

Are you running an ftp server on the computer ?

> 
>  
> When I activated the log acl:10 in smb.conf I saw this line :
> 
>  
> canon_ace index 2. Type = allow SID =
> S-1-5-21-175208659-1627204559-885930912-7022 gid 67022 SMB_ACL_GROUP
> ace_flags = 0x0 perms r-x
> 
> canon_ace index 5. Type = allow SID =
> S-1-5-21-175208659-1627204559-885930912-7022 uid 67022 SMB_ACL_USER
> ace_flags = 0x3 perms r-x

Oh look, there is RID '7022', for some reason, something that looks
like a printer appears to be a user and group at the same time.

> 
>  
> Its seems samba didn't do difference between users and groups when he
> sets acl right on the directory.
> 

It can, when everything is set up correctly.

Can you post the AD object for the '7022' RID

Rowland

More information about the samba mailing list