[Samba] SMB_ACL_GROUP SMB_ACL_USER

Wed Jun 14 08:41:10 UTC 2017

Hello,

Yes I wrote a mistike its not v4.6.6 but 4.6.5.

For "unix password sync = yes" it is an old parameters, it was ten years ago an sftp server was installed with samba server.

Currently there is no ftp server.

Here is the AD object with RID 7022

objectClass: top
objectClass: group
cn: FREDGROUP
member: CN=fpt,CN=Users,DC=cogesys,DC=com
distinguishedName: CN=FREDGROUP,CN=Users,DC=cogesys,DC=com
instanceType: 4
whenCreated: 12/06/2007 09:46:04
whenChanged: 06/14/2017 07:21:18
uSNCreated: 20677766
memberOf: CN=Basic_Authentification,CN=Users,DC=cogesys,DC=com
uSNChanged: 44188593
name: FREDGROUP
objectGUID: {472F71F0-759B-46FD-BA08-053A9246080D}
objectSid: S-1-5-21-175208659-1627204559-885930912-7022
sAMAccountName: FREDGROUP
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=cogesys,DC=com
dSCorePropagationData: 11/30/2016 14:11:42
dSCorePropagationData: 01/01/1601 00:00:01
ADsPath: LDAP://godc6.cogesys.com/CN=FREDGROUP,CN=Users,DC=cogesys,DC=com

e : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland Penny via samba
Envoyé : mardi 13 juin 2017 16:48
À : samba at lists.samba.org
Cc : Frédéric POUGNAULT
Objet : Re: [Samba] SMB_ACL_GROUP SMB_ACL_USER

On Tue, 13 Jun 2017 15:17:47 +0200
Frédéric POUGNAULT via samba <samba at lists.samba.org> wrote:

> I installed a samba server v 4.6.6,

Where did you get 4.6.6 from ?
The latest stable release is 4.6.5

> 
> I use samba in classic mode (in /etc/default/sernet-samba).

No you are not, you have a Samba domain member.

> 
> Samba is a member of a Windows server 2003 R2 domain.
> 
>  
> Here is my smb.conf :

Whilst there are things that I would change in your smb.conf, it should work correctly. The only line I would highlight is this:

unix password sync = Yes

You cannot have the same user in AD and /etc/passwd, so why do you have this line ?

> 
> I created a share named "MyShare" where member of domain group 
> FREDGROUP can read and write files and directories.
> 
>  
> Now I have user fpt, he is a member of group FREDGROUP and he create a 
> directory name "TEST" in the share MyShare.
> 
> Here is the ACL on the TEST directory :
> 
>  
> # file: /home/fred/TEST/
> # owner: fpt
> # group: root
> # flags: -s-
> user::rwx
> user:67022:r-x
> group::rwx
> group:root:rwx
> group:FREDGROUP:r-x
> group:fpt:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:67022:r-x
> default:user:fpt:rwx
> default:group::rwx
> default:group:root:rwx
> default:group:FREDGROUP:r-x
> default:mask::rwx
> default:other::---
>  
> I don't understand why I have a user with uid 67022.
> 
> 67022 is the gid of group FREDGROUP, I have no user with this uid in 
> the domain.

How do you know ?
You are using the winbind 'rid' backend and this will allocated ID's automatically from a simple calculation using the RID:

ID = RID - BASE_RID + LOW_RANGE_ID

Or using your figures:
67022 = RID - 0 + 60000

The RID must be:

RID = 67022 - 60000
RID = 7022

> 
> I don't understand why I have a fpt group, there is no fpt group in 
> the domain.

Are you running an ftp server on the computer ?

> 
>  
> When I activated the log acl:10 in smb.conf I saw this line :
> 
>  
> canon_ace index 2. Type = allow SID =
> S-1-5-21-175208659-1627204559-885930912-7022 gid 67022 SMB_ACL_GROUP 
> ace_flags = 0x0 perms r-x
> 
> canon_ace index 5. Type = allow SID =
> S-1-5-21-175208659-1627204559-885930912-7022 uid 67022 SMB_ACL_USER 
> ace_flags = 0x3 perms r-x

Oh look, there is RID '7022', for some reason, something that looks like a printer appears to be a user and group at the same time.

> 
>  
> Its seems samba didn't do difference between users and groups when he 
> sets acl right on the directory.
> 

It can, when everything is set up correctly.

Can you post the AD object for the '7022' RID

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba