[Samba] Windows ACLs : problems

Stefan G. Weichinger lists at xunil.at
Mon Feb 24 08:52:58 UTC 2020


Status:

domain member server, Samba version 4.10.11-Debian

[global]
	dedicated keytab file = /etc/krb5.keytab
	domain master = No
	kerberos method = secrets and keytab
	load printers = No
	local master = No
	preferred master = No
	printcap name = /dev/null
	realm = customer.INTRA
	security = ADS
	template homedir = /mnt/MSA2040/smb/Homes/%D/%U
	unix charset = iso8859-15
	unix extensions = No
	username map = /etc/samba/samba_usermapping
	winbind cache time = 10
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = customer
	full_audit:priority = notice
	full_audit:facility = local5
	full_audit:success = mkdir rmdir read pread write pwrite rename unlink
	full_audit:failure = connect
	full_audit:prefix = %u|%I|%m|%S
	idmap config customer : backend = rid
	idmap config customer : range = 10000-20000
	idmap config * : range = 3000-7999
	idmap config * : backend = tdb
	acl allow execute always = Yes
	inherit acls = Yes
	map acl inherit = Yes
	vfs objects = acl_xattr full_audit
	wide links = Yes

-


multiple shares, one of them:


[QM]
	path = /mnt/MSA2040/smb/QM
	read only = No


Windows ACLs set on the shares, worked fine so far.

I followed
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

...


The share "QM" gives us issues when we edit ACLs via RSAT on windows DC.

access denied

Tried to remove acls on linux with

setfacl -bnR  .

Folder is owned by

administrator:10513

etc etc

-

I don't know how to fix this and ask for help.

So far I always was able to reset that by chowning the folder, chmod 770
...  and after that I could edit the ACLs via RSAT.

thanks for pointers!



More information about the samba mailing list