[Samba] Fwd: ACL problem

[Rowland penny]

On 14/04/2020 14:10, Anders Östling via samba wrote:
> Hi
> My lab setup:
> A windows server 2019, configured as PDC called X
> A windows 10 pro workstation, domain member called Y
> An Ubuntu 18 server w Samba 4.7, configured as a member server called Z
>
> All are KVM virtual machines on a single host. IP and DNS works fine
> between all.
>
> Sharing setup on Samba
>
> Personal home shares in /User, configured in the AD profiles as home
> directories \\Z\Users\%username%.
> Group shares Finance (Ekonomi), Management (Ledning) and Public (Data) as
> /share/ekonomi, /share/ledning and /share/data.
>
> Sharing setup in AD
> Groups Finance and Management
> Users Bengt (member of Management and Finance), Anders (member of Finance)
> and Lars (no app group membership)
>
> What works:
> Basic file and folder sharing between all combination of X, Y and Z
> Shares on Z can be browsed from X and Y
> Domain membership between Z and X (wbinfo etc works fine)
> User home shares mapped as U: works fine. Users can only access their own
> /User shares
> Anders and Bengt can browse and access the two app group shares correctly.
> Lars is denied access.
>
> What does NOT work:
>
> I am probably missing something important, but the complexity of mixing
> "valid users", Unix permissions and ACL entries makes me dizzy.
>
Do not use POSIX acls, use Windows acls instead, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Also add this line to your smb.conf:

username map = /etc/samba/user.map

And /etc/samba/user.map should contain this:

!root = DG\Administrator

Rowland