[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command

Rowland Penny rpenny at samba.org
Tue Dec 4 13:34:27 UTC 2018

On Tue, 4 Dec 2018 12:37:23 +0000 (UTC)
barani tharan <aru_barani at yahoo.com> wrote:

>  Dear Team
> 1.  I get same error in domain controller when try to set acl in
> share the file
> [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share
> setfacl: Option -m: Invalid argument near character 7

Never try to use 'Administrator' on a Unix machine, use 'root' instead

> [root at samba4dc ~]# id EIPL\administrator
> id: EIPLadministrator: no such user

You have hit a Unix problem there a single '\' is a Unix 'escape'
character, you need to use two:

root at dc4:~# id SAMDOM\\Administrator
uid=0(root) gid=0(root) groups=0(root)

That also shows one of the reasons why you shouldn't use the WINDOWS
user 'Administrator' on UNIX.

> 3. When view the ACL in that share folder. I view the user id only
> not user name [root at samba4dc ~]# getfacl /Share
> getfacl: Removing leading '/' from absolute path names
> # file: Share
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::r-x
> group:root:r-x
> group:3000000:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:3000000:rwx
> default:mask::rwx
> default:other::r-x

I am prepared to lay money on '3000000' being the group
'Administrators' and not the user 'Administrator'

> 4. when use the samba-tool to view users it show the users name
>     [root at samba4dc ~]# samba-tool user list
> Administrator
> Ramkumar
> dns-samba4dc
> rhevadmin
> krbtgt
> Guest

Samba-tool works in a similar manner to 'wbinfo -u', that is they both
show all AD users, but those users are not necessarily known to UNix.
> 5. [root at samba4dc ~]# samba -V
> Version 4.7.11
>         I don't know how to solve this problem. One more thing i view
> the link Identity Mapping Back Ends - SambaWiki and Setting up
> RFC2307 in AD - SambaWiki 6.  In this links it says that like 
>1. ID mapping back ends are not supported in the smb.conf file on a Samba
> AD DC  

They never have been and they used to be totally ignored, but an update
meant they started to interfere with Samba, but they still didn't work.

>2. On a AD DC there should not be more than the sysvol and
> netlogon share, so the usage of unified RFC2307 idmappings is not
> really important. 

No, it says it isn't recommended, but you can have shares if you really

>If you want to    enable RFC2307 ID mappings on the
> DC for whatever reason, the you would have to verify on the Samba DC,
> that the idmap_ldb:use rfc2307
> 7.  In other link Updating Samba - SambaWiki
>        In that link i view like this option so please guide me solve
> this issue i am really in  confusion Failure To Access Shares on
> Domain Controllers If idmap config Parameters Set in the smb.conf File

Very simple, do not add any 'idmap config' lines to an AD DC smb.conf

> 4.4.6 or later
> The winbindd service on a Samba Active Directory (AD) domain
> controller (DC) automatically uses the IDs set in the Active
> Directory uidNumber and gidNumber attributes of user accounts and
> groups. If the attributes are not set, Samba generates IDs locally on
> the DC and stores them in the idmap.ldb database. Thus, on a Samba AD
> DC, idmap config parameters set in the smb.conf file were ignored.
> Due to a bug in Samba 4.4.6 and later, the parameters are no longer
> ignored and clients fail to connect to shares on the DC. To fix the
> problem: 
>    -  Remove all idmap config parameters in the smb.conf file on DCs.
>    -  Restart the samba service.
>    -  Restart the clients.
> As a result, clients now correctly connect to shares on the DC

It is actually the other way around, by default, the 'xidNumbers' in
idmap.ldb are used, but if 'uidNumber' & 'gidNumber' attributes are
added to AD, these will be used instead. Everything else is correct.

More information about the samba mailing list