[Samba] Samba winbind on centos 7 - "domain users" acls added
Edouard Guigné
eguigne at pasteur-cayenne.fr
Fri Jun 21 16:41:42 UTC 2019
hello,
My 2nd issue is about acls which are added by "Domain users".
May you help me to solve it again ?
Concerning this issue, on my samba share, I set permissions for the
share "groups" located on /var/datashared for "domain admins" (rwx) and
"domain users" (r-x)
/var]# getfacl datashared/
# file: datashared/
# owner: root
# group: root
user::rwx
group::r-x
group:MYDOMAIN\134admins\040du\040domaine:rwx
group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group://MYDOMAIN\134admins\040du\040domaine:rwx
default:mask::rwx
default:other::---/
/+ # chmod 0770 /var/datashared/
As you can see acls for "Domain users" are not in default acls
I create a TESTIT folder (on /var/datashared) ; the owner of the is user
"MYDOMAIN\mydomainadmin"
"mydomainadmin" is part of the "domain admins" group.
/# getfacl TESTIT///
//# file: TESTIT///
//*# owner: MYDOMAIN\*//*mydomainadmin
# group: *//*MYDOMAIN**\134admins\040du\040domaine*
user::rwx
group::r-x
*group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx*
mask::rwx
other::---
default:user::rwx
default:group::r-x
*default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*//
//default:mask::rwx//
//default:other::---/
I connect as mydomainadmin on Windows 7, and start to change acls :
I remove "everybody"
and
I add group "informatique" with "total control" to security tab of TESTIT
On linux, it shows :
/# getfacl TESTIT///
//# file: TESTIT///
//*# owner: *//*MYDOMAIN\*//*mydomainadmin
# group: *//*MYDOMAIN**\134admins\040du\040domaine*
user::rwx
user://*MYDOMAIN*\//*mydomainadmin*:rwx
group::rwx
*group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
group:*//*MYDOMAIN**\134informatique:rwx*
mask::rwx
other::---
default:user::rwx
*default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx*
default:group::r-x
*default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
default:group:*//*MYDOMAIN*//*\134informatique:rwx*//
//default:mask::rwx//
//default:other::---/
Now, I logon in windows 7 as *usertest *(*primary group is "Domain
users" *and is part of the group "informatique").
I create a folder TEST in TESTIT.
I get this acls on TEST folder :
/# getfacl TEST/
# file: TEST/
*# owner: **MYDOMAIN**\**usertest **
**# group: **MYDOMAIN**\134utilisateurs\040du\040domaine*
user::rwx
user:*MYDOMAIN*\usertest :rwx
group::r-x
*group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
**group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
**group:**MYDOMAIN**\134informatique:rwx*
mask::rwx
other::---
default:user::rwx
*default:user:**MYDOMAIN**\**usertest **:rwx*
default:group::r-x
*default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
**default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
**default:group:**MYDOMAIN**\134informatique:rwx*
default:mask::rwx
default:other::---/
Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and
"*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are added ?
I was expected to not get these acls... concerning "domain users"
because the folder TESTIT have no default "Domain users" acls.
Don't want them...
Is there a way to change this behaviour ?
Edouard
More information about the samba
mailing list