[Samba] Fwd: ACL problem

Anders Östling anders.ostling at gmail.com
Tue Apr 14 13:10:50 UTC 2020

My lab setup:
A windows server 2019, configured as PDC called X
A windows 10 pro workstation, domain member called Y
An Ubuntu 18 server w Samba 4.7, configured as a member server called Z

All are KVM virtual machines on a single host. IP and DNS works fine
between all.

Sharing setup on Samba

Personal home shares in /User, configured in the AD profiles as home
directories \\Z\Users\%username%.
Group shares Finance (Ekonomi), Management (Ledning) and Public (Data) as
/share/ekonomi, /share/ledning and /share/data.

Sharing setup in AD
Groups Finance and Management
Users Bengt (member of Management and Finance), Anders (member of Finance)
and Lars (no app group membership)

What works:
Basic file and folder sharing between all combination of X, Y and Z
Shares on Z can be browsed from X and Y
Domain membership between Z and X (wbinfo etc works fine)
User home shares mapped as U: works fine. Users can only access their own
/User shares
Anders and Bengt can browse and access the two app group shares correctly.
Lars is denied access.

What does NOT work:

I am probably missing something important, but the complexity of mixing
"valid users", Unix permissions and ACL entries makes me dizzy.

However, Domain admins (administrator account) can NOT access any of the
group shares.

anders at hp-srv02:/$ getfacl share/Ekonomi

# file: share/Ekonomi
# owner: nobody
# group: nogroup

My smb.conf

# Global parameters
        netbios name = HP-SRV02
        bind interfaces only = yes
        interfaces = lo ens3
        realm = DG.LOCAL
        server role = MEMBER SERVER
        security = ADS
        workgroup = DG
        username map = /etc/samba/user.map
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        idmap config * : range = 10000-20000
        idmap config DG : backend = rid
        idmap config DG : range = 30000-40000
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        encrypt passwords = yes
        winbind refresh tickets = yes
        winbind offline logon = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind expand groups = yes
        winbind use default domain = yes
        os level = 20
        domain master = no
        local master = no
        preferred master = no
        map to guest = bad user
        host msdfs = no
        client min protocol = SMB2
        client max protocol = SMB3
        client use spnego = yes
        client ntlmv2 auth = yes
        unix extensions = no
        reset on zero vc = yes
        hide unreadable = yes
        acl group control = yes
        acl map full control = yes
        map acl inherit = yes
        ea support = yes
        vfs objects = acl_xattr
        store dos attributes = yes
        dos filemode = yes
        dos filetimes = yes
        restrict anonymous = 2
        strict allocate = yes
        guest ok = no
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        comment = "User home directories"
        path = /Users
        read only = no
        force create mode = 0600
        force directory mode = 0700
        valid users = @"Domain users"

        comment = "Roaming profiles"
        path = /share/profiles
        create mask = 0770
        browseable = yes
        writeable = yes
        valid users = @"Domain admins",@"Domain users"

        comment = "User share"
        path = /share/data
        create mask = 0770
        browseable = yes
        writeable = yes
        guest ok = yes
        valid users = @"Domain users"

        comment = "Ledningens dokument"
        path = /share/Ledning
        guest ok = no
        create mask = 0770
        browseable = yes
        writeable = yes
        valid users = @"Domain admins",@"Ledning"
        inherit acls = yes

        comment = "Ekonomi dokument"
        path = /share/Ekonomi
        create mask = 0770
        guest ok = no
        browseable = yes
        writeable = yes
        valid users = @"Ekonomi",@"Domain admins","Administrator"
        inherit acls = yes

More information about the samba mailing list