[Samba] using AD groups in "username map"
rpenny at samba.org
Tue Feb 20 17:46:49 UTC 2018
On Tue, 20 Feb 2018 16:47:25 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> Hmm, bit of a catch 22 situation here, to use members of 'Domain
> Admins' to set the ACLs on a share directory, the group for the share
> directory must be 'Domain Admins', but if you tell Samba to ignore the
> system acls, then 'Domain Admins' will not have permission on the
> I have never used 'acl_xattr:ignore system acls = yes' myself, so I
> don't know of a workaround, I have ideas, so I will go and test them.
> Watch this space ;-)
OK, fired up a Win7 VM and tried to add users to a share.
First the good news, it doesn't matter if 'acl_xattr:ignore system acls
= yes' is set or not.
Now the bad news, it didn't work on a share that didn't have
'acl_xattr:ignore system acls = yes' at first. I traced this down to a
I ran: ls -lad /home/testdata
Which returned this:
drwxrwx---+ 2 root unix admins 4096 Jan 26 14:27 /home/testdata
So, on the face of it, members of 'unix admins' should be able to write
to the share. NOTE: I use Unix Admins instead of Domain Admins
Well they couldn't ;-)
I traced this to:
Which produced this:
getfacl: Removing leading '/' from absolute path names
# file: home/testdata
# owner: root
# group: unix\040admins
According to getfacl 'unix admins' has NO permissions
To fix this, I ran:
setfacl -m g:'unix admins':rwx /home/testdata
Refreshed the computer in windows 'Computer Management' and I could
then manage the share from windows.
Added 'acl_xattr:ignore system acls = yes' to the share in smb.conf,
reloaded the Samba config and it still worked.
More information about the samba