[Samba] Samba4 with AD + Linux ACL's - permission problem

Rowland penny rpenny at samba.org
Wed Nov 11 08:48:56 UTC 2020

On 11/11/2020 02:40, André Aun via samba wrote:
> Hi experts,
> I have a Samba4/AD scenario which is driving me crazy.
> On some servers, I have the same volume mounted on /share. I am using some
> different servers as gateways to export this content using HTTP, NFS, FTP
> and CIFS. AD authentication is a must.
> On the Linux machine where Samba is running, I have joined it to the domain
> using PBIS (domainjoin-cli join [DomainName [DomainAccount]). After this, I
> was able to SSH to the server using my AD credentials.
> Then, I joined Samba as domain member using "net ads join". And user
> authentication on Samba using AD is working fine. The problem comes later...
> Under /share, I hava a complex directory tree. On my Samba setup, what I
> want is to configure just a single share, and every permission below this
> share should be managed using Linux ACL's and AD groups. Reason: as I told
> before, I'm exporting this share using other servers and I don't want my
> customer having to manage smb.conf, httpd.conf, etc... every time he
> creates a subdirectory.
> Everything is working fine, until the point I assign a group permission to
> a subdirectory. Example: user1 is a member of more than 20 AD groups,
> including "srv-admin" (primary group is "domain users"). on Linux, I made:
> mkdir /share/dir1
> chown root:srv-admin /share/dir1
> chmod 770 /share/dir1
> ls -ld /share/dir1:
> drwxrwx---. 4 root srv-admin 4096 Nov  9 15:36 /share/dir1
> When the user logs in via SSH, he can enter the directory and create files,
> as expected. When the user mounts the share via CIFS, he can't enter the
> directory or create files. Looks like Samba (looking at the logs) is seeing
> just it's primary group (domain users), not the supplementary groups.
> Here is my smb.conf:
> [global]
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN.ORG.BR
>     security = ads
>     idmap config MYDOMAIN:schema-mode rfc2307
>     idmap config MYDOMAIN:range = 15777216-9999999999
>     idmap config MYDOMAIN:backend = ad
>     idmap config * : range = 1000-2000
>     template shell = /bin/bash
>     kerberos method = secrets only
>     winbind use default domain = no
>     winbind offline logon = false
>     netbios name = SAMBA1
>     server string = SAMBA1
>     log level = 3
>     log file = /var/log/samba/%m
>     max log size = 50
>     printcap name = cups
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> [ibira]
>     comment = Samba share
>     path = /share
>     browseable = yes
>     read only = no
>     valid users = +"Domain Users"
> Again, I don't want to use "force group", "write list" etc directives on
> the Samba share.
Good, because you cannot use 'force group' etc
>   What I need to do is make Samba understand the Linux
> ACL's, as if the user was logged in via ssh.
No, you want to, but logging in via SSH and Samba is different.
> What am I doing wrong?
Oh lots, one of which is that you only have one share and you are not 
only sharing it via Samba, you are also sharing it via NFS and they use 
different ACL's.

Can I suggest you read this:



More information about the samba mailing list