[Samba] using AD groups in "username map"

Rowland Penny rpenny at samba.org
Tue Feb 20 17:46:49 UTC 2018

On Tue, 20 Feb 2018 16:47:25 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> Hmm, bit of a catch 22 situation here, to use members of 'Domain
> Admins' to set the ACLs on a share directory, the group for the share
> directory must be 'Domain Admins', but if you tell Samba to ignore the
> system acls, then 'Domain Admins' will not have permission on the
> share.
> I have never used 'acl_xattr:ignore system acls = yes' myself, so I
> don't know of a workaround, I have ideas, so I will go and test them.
> Watch this space ;-)
> Rowland

OK, fired up a Win7 VM and tried to add users to a share.
First the good news, it doesn't matter if 'acl_xattr:ignore system acls
= yes' is set or not.

Now the bad news, it didn't work on a share that didn't have
'acl_xattr:ignore system acls = yes' at first. I traced this down to a
permissions problem.

I ran: ls -lad /home/testdata

Which returned this:

drwxrwx---+ 2 root unix admins 4096 Jan 26 14:27 /home/testdata

So, on the face of it, members of 'unix admins' should be able to write
to the share. NOTE: I use Unix Admins instead of Domain Admins

Well they couldn't ;-)

I traced this to:

getfacl /home/testdata

Which produced this:

getfacl: Removing leading '/' from absolute path names
# file: home/testdata
# owner: root
# group: unix\040admins

According to getfacl 'unix admins' has NO permissions

To fix this, I ran:

setfacl -m g:'unix admins':rwx /home/testdata

Refreshed the computer in windows 'Computer Management' and I could
then manage the share from windows.
Added 'acl_xattr:ignore system acls = yes' to the share in smb.conf,
reloaded the Samba config and it still worked.


More information about the samba mailing list