[Samba] Trouble managing ACLs from Windows

Rowland Penny rpenny at samba.org
Wed Nov 8 12:20:11 UTC 2017 

On Wed, 8 Nov 2017 12:59:28 +0100
Johannes Engel via samba <samba at lists.samba.org> wrote:

> Hello list,
> 
> following the guidance from here
> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
> I have set up a file server which is member of a Samba 4.6.9 AD
> domain.
> 
> I have created ACLs using a Windows client with a domain admin
> account. While I have no issues with some folders, the server denies
> access to others to users that should have access by means of group
> membership.
> 
> I tried to simulate this using the "Effective access" tab in the
> security settings per folder using the admin account where it shows
> that access should be granted to the respective user. However, I
> noted that sometimes the group SIDs are not properly resolved to the
> names.
> 
> The file server itself is using sssd instead of winbind. Administrator
> is mapped to root using the mapping file, the filesystem underneath
> the share is BTRFS.
> 
> Any suggestion where I could dig deeper?
> 
> The respective section from smb.conf:
> 
> [global]
>         realm = SAMBA.MYDOMAIN.COM
>         security = ADS
>         kerberos method = secrets and keytab
>         server role = member server
>         server services = s3fs
>         disable netbios = yes
>         smb ports = 445
>         idmap_ldb:use rfc2307 = yes
>         browseable=yes
>         username map = /etc/samba/file.map
>         vfs objects = streams_xattr acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> 
> [ShareName]
>         comment = Description
>         path = /mnt/data/sharedir
>         read only = No
>         vfs objects = acl_xattr recycle snapper btrfs
>         recycle:keeptree = yes
>         recycle:maxsize = 536870912
> 
> Thanks a lot!
> 
> Best regards
> Johannes
> 

'server services = s3fs' & 'idmap_ldb:use rfc2307 = yes' only make
sense on a DC.

As for your problem, it very probably isn't a Samba problem, I say this
because you are using sssd for authentication and sssd has nothing to
do with Samba.
You should get better help on the sssd-users mailing list.
Failing that, purge sssd and set up windbind, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

More information about the samba mailing list