[Samba] Samba4 with AD + Linux ACL's - permission problem

André Aun andre.aun at gmail.com
Wed Nov 11 02:40:22 UTC 2020 

Hi experts,

I have a Samba4/AD scenario which is driving me crazy.

On some servers, I have the same volume mounted on /share. I am using some
different servers as gateways to export this content using HTTP, NFS, FTP
and CIFS. AD authentication is a must.

On the Linux machine where Samba is running, I have joined it to the domain
using PBIS (domainjoin-cli join [DomainName [DomainAccount]). After this, I
was able to SSH to the server using my AD credentials.

Then, I joined Samba as domain member using "net ads join". And user
authentication on Samba using AD is working fine. The problem comes later...

Under /share, I hava a complex directory tree. On my Samba setup, what I
want is to configure just a single share, and every permission below this
share should be managed using Linux ACL's and AD groups. Reason: as I told
before, I'm exporting this share using other servers and I don't want my
customer having to manage smb.conf, httpd.conf, etc... every time he
creates a subdirectory.

Everything is working fine, until the point I assign a group permission to
a subdirectory. Example: user1 is a member of more than 20 AD groups,
including "srv-admin" (primary group is "domain users"). on Linux, I made:

mkdir /share/dir1
chown root:srv-admin /share/dir1
chmod 770 /share/dir1
ls -ld /share/dir1:
drwxrwx---. 4 root srv-admin 4096 Nov  9 15:36 /share/dir1

When the user logs in via SSH, he can enter the directory and create files,
as expected. When the user mounts the share via CIFS, he can't enter the
directory or create files. Looks like Samba (looking at the logs) is seeing
just it's primary group (domain users), not the supplementary groups.

Here is my smb.conf:

[global]
   workgroup = MYDOMAIN
   realm = MYDOMAIN.ORG.BR
   security = ads
   idmap config MYDOMAIN:schema-mode rfc2307
   idmap config MYDOMAIN:range = 15777216-9999999999
   idmap config MYDOMAIN:backend = ad
   idmap config * : range = 1000-2000
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = no
   winbind offline logon = false
   netbios name = SAMBA1
   server string = SAMBA1
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes
[ibira]
   comment = Samba share
   path = /share
   browseable = yes
   read only = no
   valid users = +"Domain Users"


Again, I don't want to use "force group", "write list" etc directives on
the Samba share. What I need to do is make Samba understand the Linux
ACL's, as if the user was logged in via ssh.

What am I doing wrong?

Thanks and regards,

André Aun

More information about the samba mailing list