[Samba] ACL set in Windows not set in Samba

Viktor Trojanovic viktor at troja.ch
Sun May 13 15:39:39 UTC 2018 

Setup: Samba AD DC and Samba AD Member Server, Win10 clients only. Samba
version 4.8.1

Has something changed recently in the way ACL's are supposed to work? My
existing shares work just fine but any ALC changes I make using Windows are
ignored in Samba.

For example, I'm creating a new folder in Windows inside an existing share
and I add user User1 or group Group1 in the security tab. User1 has a
unique uidNumber, and Group1 has a unique gidNumber. Usually, this would
propagate to Samba and I could verify the new ACLs using getfacl. But
getfacl keeps showing me the same no matter what I do, i.e. root as owner
and Domain Admins as default group. User1 or Group1 are not shown anywhere
but in Windows though that doesn't seem enough, User1 is prevented from
accessing the folder or its contents.

I checked if there were changes on the wiki, mainly
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, but
I didn't notice anything. I also checked if there is a problem on my system
using the information found on
https://wiki.samba.org/index.php/File_System_Support but ACLs work fine
when I set them manually in Linux.

My smb.conf

[global]

  netbios name = FILESERVER
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  username map = /etc/samba/samba_usermap

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config SAMDOM:backend = ad
  idmap config SAMDOM:schema_mode = rfc2307
  idmap config SAMDOM:range = 10000-99999
  idmap config SAMDOM:unix_nss_info = yes

  winbind use default domain = yes

  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  load printers = no
  printing = bsd
  printcap name = /dev/null

[myshare]
  path = /srv/samba/myshare
  comment = "My Data"
  guest ok = no
  writeable = yes
  create mask = 0666
  directory mask = 0777
  acl_xattr:ignore system acls = yes

Any help is much appreciated.

Slightly off topic: Is my assumption correct that gidNumbers and uidNumbers
do not need to be distinct between each other, i.e. can a user have the
same number as uidNumber that a group has as gidNumber?

More information about the samba mailing list