[Samba] SMB 4.6 Member Server Improper ACLs being set

Wed Sep 27 20:21:42 UTC 2017

On Wed, 27 Sep 2017 14:48:44 -0500
Ryan Goode via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I recently upgraded from centos release 7.3 to 7.4 and samba 4.6.2 and
> noticed that when files/folders are added or manipulated from a
> windows PC via the share, extra ACLs get applied and i cannot figure
> out why. Nothing has changed configuration wise and i have tried all
> variations i can think of of different map settings, downgraded
> several releases of samba (4.4.4 failed to load due to some
> dependency issues).
> 
> I spun up a templated centos VM to test and found the same issue as my
> physical server.
> 
> im sharing /vault and heres the permission set of the folder:
> [root at template vault]# getfacl .
> # file: .
> # owner: root
> # group: root
> user::rwx
> group::rwx
> group:user_perm_storage_admin:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:user_perm_storage_admin:rwx
> default:mask::rwx
> default:other::---
> 
> if i map a share from a windows or linux machine back to this via
> samba and create a folder/file, it looks like this:
> 
> [root at template vault]# getfacl test/
> # file: test/
> # owner: ryan.goode
> # group: domain\040users
> user::rwx
> user:10513:rwx

This is strange, it looks like Domain Users is being treated as a user.

> user:14608:rwx
> group::rwx
> group:domain\040users:rwx
> group:ryan.goode:rwx

Why is there a group named after a user ?

> group:user_perm_storage_admin:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:ryan.goode:rwx

And here is the user.

> default:user:14608:rwx
> default:group::rwx
> default:group:domain\040users:rwx
> default:group:user_perm_storage_admin:rwx
> default:mask::rwx
> default:other::---
> 
> The ACLs im refering to as being erroneous are:
> user:10513:rwx
> user:14608:rwx
> default:user:14608:rwx
> 
> These correspond to groups in AD as seen here:
> 
> [root at template vault]# getent group | grep 14608
> user_perm_storage_admin:x:14608:
> [root at template vault]# getent group | grep 10513
> domain users:x:10513:

Have you tried 'getent passwd | grep 10513' ?

> 
> This wasnt happening when i originally setup these ACLs on my storage
> server and im trying to prevent this from happening further before it
> hoses my permission set.
> 
> Im at a loss for what to do next and google has yielded no useful
> information that i can find.
> 
> Any thoughts?
> - - - -
> smb.conf:
> #--authconfig--start-line--
> 
> # Generated by authconfig on 2017/04/14 06:41:51
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
> 
>    workgroup = AD
>    realm = AD.ALLGOODE.US
>    security = ads
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
>    winbind offline logon = true
> 
> #--authconfig--end-line--
> server string = Samba Server Version %v
> 
> idmap config * : backend = tdb
> idmap config * : range = 5000 - 9999
> idmap config AD : backend = rid
> idmap config AD : range = 10000-20000
> 
> #winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind cache time = 7200
> winbind nested groups = yes
> 
> ea support = yes

What filesystem are you using ?
If it is ext4, you shouldn't use the above line.

Can you post: 
/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
/etc/nsswitch.conf

Rowland