[Samba] Extended acls with AD - problem with default/herited permissions

Edouard Guigné eguigne at pasteur-cayenne.fr
Mon Dec 10 13:47:20 UTC 2018


I set a share on a samba 4.7.1 as domain member with an Active Directory 
controler, this share is used by all domain users.

All users from the AD domain have a primary group "Domain Users", and 
secondary groups to filter access on the folders of the share.
I noticed that when a user create a sub-folder/file inside a "Top 
folder", the default permissions from the "Top folder" are well herited, 
but the acl "Domain Users" is always added.

I find a link  https://bugzilla.samba.org/show_bug.cgi?id=8938 about this.
So I made a test with "acl_xattr:ignore system acls = yes" in my 
smb.conf ; but it seems to disable extended acl to some folders...
This is not a solution.

I tried also chmod g+s on "Top folders", but other acl "Domain Users" is 
still added.

I think something is bad in my smb.cfg, below is the result of testparm :

# Global parameters
         client max protocol = SMB3
         client min protocol = SMB2
         client signing = required
         disable spoolss = Yes
         domain master = No
         kerberos method = secrets and keytab
         load printers = No
         local master = No
         log file = /var/log/samba/%m.log
         name resolve order = wins bcast host lmhosts
         preferred master = No
         printcap name = /dev/null
         security = ADS
         server signing = required
         winbind nss info = rfc2307
         workgroup = IPGAD
         idmap config ipgad : unix_primary_group = yes
         idmap config ipgad : unix_nss_info = yes
         idmap config ipgad : range = 1-14999
         idmap config ipgad : schema_mode = rfc2307
         idmap config ipgad : backend = ad
         idmap config * : range = 15000-99999
         idmap config * : backend = tdb
         cups options = raw
         hosts allow = 127. 10.9.8.
         hosts deny = 10.9.9.
         map acl inherit = Yes
         store dos attributes = Yes
         use sendfile = Yes
         vfs objects = acl_xattr

         comment = jaguar2
         path = /var/datashared
         read only = No
         valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR"
         vfs objects = acl_xattr streams_xattr shadow_copy2
         shadow:format = daily_%Y.%m.%d-%H.%M.%S
         shadow:localtime = yes
         shadow:sort = desc
         shadow:basedir = /var/datashared
         shadow:snapdir = /data/datashared/snapshots

         browseable = No
         comment = Home Directories
         create mask = 0700
         directory mask = 0700
         hide files = /~*.tmp/profile/desktop.ini/~$*/
         path = /home
         read only = No
         valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR"

May you help me to understand/solve the situation ?


More information about the samba mailing list