[Samba] Samba winbind on centos 7 - "domain users" acls added
Rowland penny
rpenny at samba.org
Fri Jun 21 16:46:50 UTC 2019
On 21/06/2019 17:41, Edouard Guigné via samba wrote:
> hello,
>
> My 2nd issue is about acls which are added by "Domain users".
> May you help me to solve it again ?
>
> Concerning this issue, on my samba share, I set permissions for the
> share "groups" located on /var/datashared for "domain admins" (rwx)
> and "domain users" (r-x)
> /var]# getfacl datashared/
> # file: datashared/
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:MYDOMAIN\134admins\040du\040domaine:rwx
> group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:group::r-x
> default:group://MYDOMAIN\134admins\040du\040domaine:rwx
> default:mask::rwx
> default:other::---/
>
> /+ # chmod 0770 /var/datashared/
>
> As you can see acls for "Domain users" are not in default acls
>
> I create a TESTIT folder (on /var/datashared) ; the owner of the is
> user "MYDOMAIN\mydomainadmin"
> "mydomainadmin" is part of the "domain admins" group.
> /# getfacl TESTIT///
> //# file: TESTIT///
> //*# owner: MYDOMAIN\*//*mydomainadmin
> # group: *//*MYDOMAIN**\134admins\040du\040domaine*
> user::rwx
> group::r-x
> *group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx*
> mask::rwx
> other::---
> default:user::rwx
> default:group::r-x
> *default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*//
> //default:mask::rwx//
> //default:other::---/
>
> I connect as mydomainadmin on Windows 7, and start to change acls :
> I remove "everybody"
> and
> I add group "informatique" with "total control" to security tab of TESTIT
>
> On linux, it shows :
> /# getfacl TESTIT///
> //# file: TESTIT///
> //*# owner: *//*MYDOMAIN\*//*mydomainadmin
> # group: *//*MYDOMAIN**\134admins\040du\040domaine*
> user::rwx
> user://*MYDOMAIN*\//*mydomainadmin*:rwx
> group::rwx
> *group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
> group:*//*MYDOMAIN**\134informatique:rwx*
> mask::rwx
> other::---
> default:user::rwx
> *default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx*
> default:group::r-x
> *default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
> default:group:*//*MYDOMAIN*//*\134informatique:rwx*//
> //default:mask::rwx//
> //default:other::---/
>
> Now, I logon in windows 7 as *usertest *(*primary group is "Domain
> users" *and is part of the group "informatique").
> I create a folder TEST in TESTIT.
> I get this acls on TEST folder :
> /# getfacl TEST/
> # file: TEST/
> *# owner: **MYDOMAIN**\**usertest **
> **# group: **MYDOMAIN**\134utilisateurs\040du\040domaine*
> user::rwx
> user:*MYDOMAIN*\usertest :rwx
> group::r-x
> *group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
> **group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
> **group:**MYDOMAIN**\134informatique:rwx*
> mask::rwx
> other::---
> default:user::rwx
> *default:user:**MYDOMAIN**\**usertest **:rwx*
> default:group::r-x
> *default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
> **default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
> **default:group:**MYDOMAIN**\134informatique:rwx*
> default:mask::rwx
> default:other::---/
>
> Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and
> "*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are
> added ?
> I was expected to not get these acls... concerning "domain users"
> because the folder TESTIT have no default "Domain users" acls.
> Don't want them...
> Is there a way to change this behaviour ?
>
> Edouard
Are you following this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland
More information about the samba
mailing list