[Samba] Extended acls with AD - problem with default/herited permissions
Edouard Guigné
eguigne at pasteur-cayenne.fr
Mon Dec 10 13:47:20 UTC 2018
Hello,
I set a share on a samba 4.7.1 as domain member with an Active Directory
controler, this share is used by all domain users.
All users from the AD domain have a primary group "Domain Users", and
secondary groups to filter access on the folders of the share.
I noticed that when a user create a sub-folder/file inside a "Top
folder", the default permissions from the "Top folder" are well herited,
but the acl "Domain Users" is always added.
I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about this.
So I made a test with "acl_xattr:ignore system acls = yes" in my
smb.conf ; but it seems to disable extended acl to some folders...
This is not a solution.
I tried also chmod g+s on "Top folders", but other acl "Domain Users" is
still added.
I think something is bad in my smb.cfg, below is the result of testparm :
# Global parameters
[global]
client max protocol = SMB3
client min protocol = SMB2
client signing = required
disable spoolss = Yes
domain master = No
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /var/log/samba/%m.log
name resolve order = wins bcast host lmhosts
preferred master = No
printcap name = /dev/null
realm = IPGAD.PASTEUR-CAYENNE.FR
security = ADS
server signing = required
winbind nss info = rfc2307
workgroup = IPGAD
idmap config ipgad : unix_primary_group = yes
idmap config ipgad : unix_nss_info = yes
idmap config ipgad : range = 1-14999
idmap config ipgad : schema_mode = rfc2307
idmap config ipgad : backend = ad
idmap config * : range = 15000-99999
idmap config * : backend = tdb
cups options = raw
hosts allow = 127. 10.9.8.
hosts deny = 10.9.9.
map acl inherit = Yes
store dos attributes = Yes
use sendfile = Yes
vfs objects = acl_xattr
[groups]
comment = jaguar2
path = /var/datashared
read only = No
valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR"
vfs objects = acl_xattr streams_xattr shadow_copy2
shadow:format = daily_%Y.%m.%d-%H.%M.%S
shadow:localtime = yes
shadow:sort = desc
shadow:basedir = /var/datashared
shadow:snapdir = /data/datashared/snapshots
[homes]
browseable = No
comment = Home Directories
create mask = 0700
directory mask = 0700
hide files = /~*.tmp/profile/desktop.ini/~$*/
path = /home
read only = No
valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR"
May you help me to understand/solve the situation ?
EdG
More information about the samba
mailing list