[Samba] SMB_ACL_GROUP SMB_ACL_USER
Frédéric POUGNAULT
f.pougnault at galitt.com
Wed Jun 14 08:41:10 UTC 2017
Hello,
Yes I wrote a mistike its not v4.6.6 but 4.6.5.
For "unix password sync = yes" it is an old parameters, it was ten years ago an sftp server was installed with samba server.
Currently there is no ftp server.
Here is the AD object with RID 7022
objectClass: top
objectClass: group
cn: FREDGROUP
member: CN=fpt,CN=Users,DC=cogesys,DC=com
distinguishedName: CN=FREDGROUP,CN=Users,DC=cogesys,DC=com
instanceType: 4
whenCreated: 12/06/2007 09:46:04
whenChanged: 06/14/2017 07:21:18
uSNCreated: 20677766
memberOf: CN=Basic_Authentification,CN=Users,DC=cogesys,DC=com
uSNChanged: 44188593
name: FREDGROUP
objectGUID: {472F71F0-759B-46FD-BA08-053A9246080D}
objectSid: S-1-5-21-175208659-1627204559-885930912-7022
sAMAccountName: FREDGROUP
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=cogesys,DC=com
dSCorePropagationData: 11/30/2016 14:11:42
dSCorePropagationData: 01/01/1601 00:00:01
ADsPath: LDAP://godc6.cogesys.com/CN=FREDGROUP,CN=Users,DC=cogesys,DC=com
e : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland Penny via samba
Envoyé : mardi 13 juin 2017 16:48
À : samba at lists.samba.org
Cc : Frédéric POUGNAULT
Objet : Re: [Samba] SMB_ACL_GROUP SMB_ACL_USER
On Tue, 13 Jun 2017 15:17:47 +0200
Frédéric POUGNAULT via samba <samba at lists.samba.org> wrote:
> I installed a samba server v 4.6.6,
Where did you get 4.6.6 from ?
The latest stable release is 4.6.5
>
> I use samba in classic mode (in /etc/default/sernet-samba).
No you are not, you have a Samba domain member.
>
> Samba is a member of a Windows server 2003 R2 domain.
>
>
> Here is my smb.conf :
Whilst there are things that I would change in your smb.conf, it should work correctly. The only line I would highlight is this:
unix password sync = Yes
You cannot have the same user in AD and /etc/passwd, so why do you have this line ?
>
> I created a share named "MyShare" where member of domain group
> FREDGROUP can read and write files and directories.
>
>
> Now I have user fpt, he is a member of group FREDGROUP and he create a
> directory name "TEST" in the share MyShare.
>
> Here is the ACL on the TEST directory :
>
>
> # file: /home/fred/TEST/
> # owner: fpt
> # group: root
> # flags: -s-
> user::rwx
> user:67022:r-x
> group::rwx
> group:root:rwx
> group:FREDGROUP:r-x
> group:fpt:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:67022:r-x
> default:user:fpt:rwx
> default:group::rwx
> default:group:root:rwx
> default:group:FREDGROUP:r-x
> default:mask::rwx
> default:other::---
>
> I don't understand why I have a user with uid 67022.
>
> 67022 is the gid of group FREDGROUP, I have no user with this uid in
> the domain.
How do you know ?
You are using the winbind 'rid' backend and this will allocated ID's automatically from a simple calculation using the RID:
ID = RID - BASE_RID + LOW_RANGE_ID
Or using your figures:
67022 = RID - 0 + 60000
The RID must be:
RID = 67022 - 60000
RID = 7022
>
> I don't understand why I have a fpt group, there is no fpt group in
> the domain.
Are you running an ftp server on the computer ?
>
>
> When I activated the log acl:10 in smb.conf I saw this line :
>
>
> canon_ace index 2. Type = allow SID =
> S-1-5-21-175208659-1627204559-885930912-7022 gid 67022 SMB_ACL_GROUP
> ace_flags = 0x0 perms r-x
>
> canon_ace index 5. Type = allow SID =
> S-1-5-21-175208659-1627204559-885930912-7022 uid 67022 SMB_ACL_USER
> ace_flags = 0x3 perms r-x
Oh look, there is RID '7022', for some reason, something that looks like a printer appears to be a user and group at the same time.
>
>
> Its seems samba didn't do difference between users and groups when he
> sets acl right on the directory.
>
It can, when everything is set up correctly.
Can you post the AD object for the '7022' RID
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list