[Samba] Windows ACL behaviour in standalone fileservers (LDAP vs TDB)

Matthias Leopold matthias.leopold at meduniwien.ac.at
Wed Jan 23 10:50:59 UTC 2019


Hi,

I'm building and managing standalone fileservers (security = user) with 
various passdb backends. I'm noticing different behaviour of Windows 
ACLs for servers with LDAP and TDB passdb backends.

In a LDAP backed server (which I started with) I can freely add 
filesystem permissions (eg for groups) to objects (files/folders) via 
the Windows (7) permissions editor.

In a TDB backed server I can only add permission to a folder for a group 
if the containing folder has (any) permissions for that group. 
Additionally I have to enter my credentials again in the permissions 
editor, which isn't needed on the LDAP backed server.

Configuration for both servers from a "result view" looks identical to me:
- "net groupmap list" is identical
- both use "security = user" and "acl_xattr"

I'm obviously not an expert for Windows ACLs, a workmate Windows Admin 
told me that the second behaviour is what he would expect, still I'm 
confused.

Samba is 4.8.3 on CentOS 7.

thx
Matthias



More information about the samba mailing list