[Samba] samba 4 ad member - idmap = ad for machine accounts

L.P.H. van Belle belle at bazuin.nl
Tue Sep 19 08:01:26 UTC 2017

I did loose a bit what the exact problem was here but i can to explain a bit here.

Why do i use : acl_xattr:ignore system acls = yes
>From : man vfs_acl_xattr

The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs). 
This enables the full mapping of Windows ACLs on Samba servers.

Now think in user SYSTEM ( and others with ID_BOTH ) and the problems of settting user/group rights.
Now read : 
  acl_xattr:ignore system acls = [yes|no]
      When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module. 
	The default is no, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs. 
	This is better if you need your system ACLs be set for local or NFS file access

The one i never post is: acl_xattr:default acl style = [posix|windows]
This parameter determines the type of ACL that is synthesized in case a file or directory lacks an security.NTACL xattr.
When set to posix, an ACL will be synthesized based on the POSIX mode permissions for user, group and others, with an additional ACE for NT Authority\SYSTEM will full rights. 
When set to windows, an ACL is synthesized the same way Windows does it, only including permissions for the owner and NT Authority\SYSTEM.
The default for this option is posix.

Now, because of the ID_BOTH user/group problems, i did setup the following way. 
A mix of ad and member shares names where i set : acl_xattr:ignore system acls = yes 

( the share name shows what they are used for. ) 
1) sysvol netlogon profiles printer$ drivers software_deploy 
These get all acl_xattr:ignore system acls = yes 
This way i've made sure all my windows things are working. 
( GPO/Deployments where computers write to logfiles etc. ) 

2) homes ( I call them users in my setup, to keep the "windows" part in mind ).
This one keeps does not get : acl_xattr:ignore system acls 
This is because of shareing the home folder with (in my case) nfsv4 kerberized. 
Here i need some posix stuff, we need uid/gid here. 

( small tip also for above settings ) 
If you want "Creator Owner" on a folder  ( 1700 of 1750 or 1777 ) 
If you want "Creator Group" on a folder  ( 3700 of 3750 or 3777 ) 

Now keep above in mind now add the combination of UID/GID  XIDNumbers  SID/GID Etc. 
And the AD or RID backends. 

.. And i must be honest,, Rowland is better in explaining this part. 
So calling Rowland here...  ;-) 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 19 september 2017 9:11
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for 
> machine accounts
> Mandi! Kacper Wirski via samba
>   In chel di` si favelave...
> > getent passwd gives same, OK result, still unable to authenticate
> I'm still curious to know how rfc23037 does not work, and RID 
> insted work.
> Seems to me that assigning a GID to 'Domain Computers' is the 
> same as using RID.
> Kacper: i don't want to offend you but... have you invalidate 
> the eventually used cache, eg restart for example nscd?
> Louis, Rowland: can you explain why?
> Thanks.
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list