[Samba] ACL set in Windows not set in Samba
Viktor Trojanovic
viktor at troja.ch
Sun May 13 15:39:39 UTC 2018
Setup: Samba AD DC and Samba AD Member Server, Win10 clients only. Samba
version 4.8.1
Has something changed recently in the way ACL's are supposed to work? My
existing shares work just fine but any ALC changes I make using Windows are
ignored in Samba.
For example, I'm creating a new folder in Windows inside an existing share
and I add user User1 or group Group1 in the security tab. User1 has a
unique uidNumber, and Group1 has a unique gidNumber. Usually, this would
propagate to Samba and I could verify the new ACLs using getfacl. But
getfacl keeps showing me the same no matter what I do, i.e. root as owner
and Domain Admins as default group. User1 or Group1 are not shown anywhere
but in Windows though that doesn't seem enough, User1 is prevented from
accessing the folder or its contents.
I checked if there were changes on the wiki, mainly
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, but
I didn't notice anything. I also checked if there is a problem on my system
using the information found on
https://wiki.samba.org/index.php/File_System_Support but ACLs work fine
when I set them manually in Linux.
My smb.conf
[global]
netbios name = FILESERVER
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /etc/samba/samba_usermap
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999
idmap config SAMDOM:unix_nss_info = yes
winbind use default domain = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
load printers = no
printing = bsd
printcap name = /dev/null
[myshare]
path = /srv/samba/myshare
comment = "My Data"
guest ok = no
writeable = yes
create mask = 0666
directory mask = 0777
acl_xattr:ignore system acls = yes
Any help is much appreciated.
Slightly off topic: Is my assumption correct that gidNumbers and uidNumbers
do not need to be distinct between each other, i.e. can a user have the
same number as uidNumber that a group has as gidNumber?
More information about the samba
mailing list