[Samba] Samba4 with AD + Linux ACL's - permission problem
andre.aun at gmail.com
Wed Nov 11 02:40:22 UTC 2020
I have a Samba4/AD scenario which is driving me crazy.
On some servers, I have the same volume mounted on /share. I am using some
different servers as gateways to export this content using HTTP, NFS, FTP
and CIFS. AD authentication is a must.
On the Linux machine where Samba is running, I have joined it to the domain
using PBIS (domainjoin-cli join [DomainName [DomainAccount]). After this, I
was able to SSH to the server using my AD credentials.
Then, I joined Samba as domain member using "net ads join". And user
authentication on Samba using AD is working fine. The problem comes later...
Under /share, I hava a complex directory tree. On my Samba setup, what I
want is to configure just a single share, and every permission below this
share should be managed using Linux ACL's and AD groups. Reason: as I told
before, I'm exporting this share using other servers and I don't want my
customer having to manage smb.conf, httpd.conf, etc... every time he
creates a subdirectory.
Everything is working fine, until the point I assign a group permission to
a subdirectory. Example: user1 is a member of more than 20 AD groups,
including "srv-admin" (primary group is "domain users"). on Linux, I made:
chown root:srv-admin /share/dir1
chmod 770 /share/dir1
ls -ld /share/dir1:
drwxrwx---. 4 root srv-admin 4096 Nov 9 15:36 /share/dir1
When the user logs in via SSH, he can enter the directory and create files,
as expected. When the user mounts the share via CIFS, he can't enter the
directory or create files. Looks like Samba (looking at the logs) is seeing
just it's primary group (domain users), not the supplementary groups.
Here is my smb.conf:
workgroup = MYDOMAIN
realm = MYDOMAIN.ORG.BR
security = ads
idmap config MYDOMAIN:schema-mode rfc2307
idmap config MYDOMAIN:range = 15777216-9999999999
idmap config MYDOMAIN:backend = ad
idmap config * : range = 1000-2000
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = no
winbind offline logon = false
netbios name = SAMBA1
server string = SAMBA1
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
winbind enum users = Yes
winbind enum groups = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
comment = Samba share
path = /share
browseable = yes
read only = no
valid users = +"Domain Users"
Again, I don't want to use "force group", "write list" etc directives on
the Samba share. What I need to do is make Samba understand the Linux
ACL's, as if the user was logged in via ssh.
What am I doing wrong?
Thanks and regards,
More information about the samba