[Samba] ACL set in Windows not set in Samba

Rowland Penny rpenny at samba.org
Sun May 13 16:12:25 UTC 2018 

On Sun, 13 May 2018 17:39:39 +0200
Viktor Trojanovic via samba <samba at lists.samba.org> wrote:

> Setup: Samba AD DC and Samba AD Member Server, Win10 clients only.
> Samba version 4.8.1
> 
> Has something changed recently in the way ACL's are supposed to work?

No

> My existing shares work just fine but any ALC changes I make using
> Windows are ignored in Samba.
> 
> For example, I'm creating a new folder in Windows inside an existing
> share and I add user User1 or group Group1 in the security tab. User1
> has a unique uidNumber, and Group1 has a unique gidNumber. Usually,
> this would propagate to Samba and I could verify the new ACLs using
> getfacl. But getfacl keeps showing me the same no matter what I do,
> i.e. root as owner and Domain Admins as default group. User1 or
> Group1 are not shown anywhere but in Windows though that doesn't seem
> enough, User1 is prevented from accessing the folder or its contents.

Any changes in Windows should be be shown by getfacl, but the directory
ownership shouldn't change and the user making the alterations must
have the required privileges to make the changes.

>   username map = /etc/samba/samba_usermap

What is in the 'samba_usermap' ?
 
> [myshare]
>   path = /srv/samba/myshare
>   comment = "My Data"
>   guest ok = no
>   writeable = yes
>   create mask = 0666
>   directory mask = 0777
>   acl_xattr:ignore system acls = yes

As you are trying to use Windows ACLs, you should follow the info on
the page you linked and stop getting creative ;-)
Remove the 'guest ok' line, it is the default.
Remove the two 'mask' lines, the last line is actually telling Samba
to ignore them. 

> Slightly off topic: Is my assumption correct that gidNumbers and
> uidNumbers do not need to be distinct between each other, i.e. can a
> user have the same number as uidNumber that a group has as gidNumber?

Yes, whilst every user must have a unique uidNumber and every group
must have a unique gidNumber, there is nothing stopping a user and a
group having the same number.

Rowland

More information about the samba mailing list