[Samba] Trouble managing ACLs from Windows

Wed Nov 8 11:59:28 UTC 2017

Hello list,

following the guidance from here
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
I have set up a file server which is member of a Samba 4.6.9 AD domain.

I have created ACLs using a Windows client with a domain admin account.
While I have no issues with some folders, the server denies access to
others to users that should have access by means of group membership.

I tried to simulate this using the "Effective access" tab in the
security settings per folder using the admin account where it shows that
access should be granted to the respective user. However, I noted that
sometimes the group SIDs are not properly resolved to the names.

The file server itself is using sssd instead of winbind. Administrator
is mapped to root using the mapping file, the filesystem underneath the
share is BTRFS.

Any suggestion where I could dig deeper?

The respective section from smb.conf:

[global]
        realm = SAMBA.MYDOMAIN.COM
        security = ADS
        kerberos method = secrets and keytab
        server role = member server
        server services = s3fs
        disable netbios = yes
        smb ports = 445
        idmap_ldb:use rfc2307 = yes
        browseable=yes
        username map = /etc/samba/file.map
        vfs objects = streams_xattr acl_xattr
        map acl inherit = yes
        store dos attributes = yes

[ShareName]
        comment = Description
        path = /mnt/data/sharedir
        read only = No
        vfs objects = acl_xattr recycle snapper btrfs
        recycle:keeptree = yes
        recycle:maxsize = 536870912

Thanks a lot!

Best regards
Johannes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20171108/45dceedd/signature.sig>