[Samba] Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
Edouard Guigné
eguigne at pasteur-cayenne.fr
Mon Dec 10 18:40:29 UTC 2018
Hello Dale,
Set inherit acls = yes locally to my share groups, and remove map acl
inherit = yes from global parameters of smb.conf does not solve my issue.
I still have acl "Domain Users" added to new folders/files.
As i write in my previous email, the only way i found to disable acl
"Domain Users" to be added was with :
inherit owner = yes
With some disavantages for users (not see the ownership of a file, etc.)
I do not know where I can looking for...
Edouard
-------- Message transféré --------
Sujet : Re: [Samba] Fwd: Extended acls with AD - problem with
default/herited permissions
Date : Mon, 10 Dec 2018 15:29:42 -0300
De : Edouard Guigné <eguigne at pasteur-cayenne.fr>
Pour : Dale <samba at txschroeder.family>
Copie à : samba at lists.samba.org
Hello Dale,
I set map acl inherit = yes in global parameters of smb.conf
and set inherit owner = yes locally to my share "groups" of smb.conf
I have followed the wiki
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
It is indicated :
"To configure shares using extended access control lists (ACL), you must
enable the support in the |smb.conf| file. To enable extended ACL
support globally, add the following settings to the |[global]| section
of your |smb.conf| file:
vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes"
Do you mean I should try to add :
inherit acls = yes locally to my share "groups" ?
Should I remove map acl inherit = yes from global parameters of smb.conf ?
Edouard
Le 10/12/2018 à 14:58, Dale a écrit :
> Edouard,
>
> These are the 4 available parameters containing the word "inherit".
>
> inherit acls (S)
> inherit owner (S)
> inherit permissions (S)
> map acl inherit (S)
>
>
> Would "inherit acls" work for you?
>
> Dale
>
>
> On 12/10/18 10:56 AM, Edouard Guigné via samba wrote:
>> Hello,
>>
>> I add to my previous mail, the only way i found to disable acl
>> "Domain Users" to be added is with :
>>
>> */inherit owner = yes/*
>>
>> This has the advantage to recopy exactly the default acl defined on
>> the parent folder.
>> But this has the disavantage to not show which user has created a
>> folder/file and the ownership.
>>
>> Does something like "inherit group owner = yes" exist ?
>> chmod g+s has no effect on my configuration.
>>
>> Best Regards,
>>
>> EdG
>>
>>
>>
>> -------- Message transféré --------
>> Sujet : Extended acls with AD - problem with default/herited
>> permissions
>> Date : Mon, 10 Dec 2018 10:47:20 -0300
>> De : Edouard Guigné <eguigne at pasteur-cayenne.fr>
>> Pour : samba at lists.samba.org
>>
>>
>>
>> Hello,
>>
>> I set a share on a samba 4.7.1 as domain member with an Active
>> Directory controler, this share is used by all domain users.
>>
>> All users from the AD domain have a primary group "Domain Users", and
>> secondary groups to filter access on the folders of the share.
>> I noticed that when a user create a sub-folder/file inside a "Top
>> folder", the default permissions from the "Top folder" are well
>> herited, but the acl "Domain Users" is always added.
>>
>> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about
>> this.
>> So I made a test with "acl_xattr:ignore system acls = yes" in my
>> smb.conf ; but it seems to disable extended acl to some folders...
>> This is not a solution.
>>
>> I tried also chmod g+s on "Top folders", but other acl "Domain Users"
>> is still added.
>>
>> I think something is bad in my smb.cfg, below is the result of
>> testparm :
>>
>> # Global parameters
>> [global]
>> client max protocol = SMB3
>> client min protocol = SMB2
>> client signing = required
>> disable spoolss = Yes
>> domain master = No
>> kerberos method = secrets and keytab
>> load printers = No
>> local master = No
>> log file = /var/log/samba/%m.log
>> name resolve order = wins bcast host lmhosts
>> preferred master = No
>> printcap name = /dev/null
>> realm = IPGAD.PASTEUR-CAYENNE.FR
>> security = ADS
>> server signing = required
>> winbind nss info = rfc2307
>> workgroup = IPGAD
>> idmap config ipgad : unix_primary_group = yes
>> idmap config ipgad : unix_nss_info = yes
>> idmap config ipgad : range = 1-14999
>> idmap config ipgad : schema_mode = rfc2307
>> idmap config ipgad : backend = ad
>> idmap config * : range = 15000-99999
>> idmap config * : backend = tdb
>> cups options = raw
>> hosts allow = 127. 10.9.8.
>> hosts deny = 10.9.9.
>> map acl inherit = Yes
>> store dos attributes = Yes
>> use sendfile = Yes
>> vfs objects = acl_xattr
>>
>>
>> [groups]
>> comment = jaguar2
>> path = /var/datashared
>> read only = No
>> valid users = "@utilisateurs du
>> domaine at IPGAD.PASTEUR-CAYENNE.FR"
>> vfs objects = acl_xattr streams_xattr shadow_copy2
>> shadow:format = daily_%Y.%m.%d-%H.%M.%S
>> shadow:localtime = yes
>> shadow:sort = desc
>> shadow:basedir = /var/datashared
>> shadow:snapdir = /data/datashared/snapshots
>>
>>
>> [homes]
>> browseable = No
>> comment = Home Directories
>> create mask = 0700
>> directory mask = 0700
>> hide files = /~*.tmp/profile/desktop.ini/~$*/
>> path = /home
>> read only = No
>> valid users = "@utilisateurs du
>> domaine at IPGAD.PASTEUR-CAYENNE.FR"
>>
>> May you help me to understand/solve the situation ?
>>
>> EdG
>>
>
>
More information about the samba
mailing list