[Samba] Samba4 with AD + Linux ACL's - permission problem

André Aun andre.aun at gmail.com
Wed Nov 11 10:00:58 UTC 2020


Ronald, thanks for pointing me to the right direction. I will now drive 100
km to get into the customer office, and the first thing I will do is read
this document.

I have been scratching my head for some days on this problem. If I consider
only my Samba share (forgetting about NFS, etc), why am I getting a
permission denied error with user1?

Regards,

André Aun

Em qua., 11 de nov. de 2020 às 05:50, Rowland penny via samba <
samba at lists.samba.org> escreveu:

> On 11/11/2020 02:40, André Aun via samba wrote:
> > Hi experts,
> >
> > I have a Samba4/AD scenario which is driving me crazy.
> >
> > On some servers, I have the same volume mounted on /share. I am using
> some
> > different servers as gateways to export this content using HTTP, NFS, FTP
> > and CIFS. AD authentication is a must.
> >
> > On the Linux machine where Samba is running, I have joined it to the
> domain
> > using PBIS (domainjoin-cli join [DomainName [DomainAccount]). After
> this, I
> > was able to SSH to the server using my AD credentials.
> >
> > Then, I joined Samba as domain member using "net ads join". And user
> > authentication on Samba using AD is working fine. The problem comes
> later...
> >
> > Under /share, I hava a complex directory tree. On my Samba setup, what I
> > want is to configure just a single share, and every permission below this
> > share should be managed using Linux ACL's and AD groups. Reason: as I
> told
> > before, I'm exporting this share using other servers and I don't want my
> > customer having to manage smb.conf, httpd.conf, etc... every time he
> > creates a subdirectory.
> >
> > Everything is working fine, until the point I assign a group permission
> to
> > a subdirectory. Example: user1 is a member of more than 20 AD groups,
> > including "srv-admin" (primary group is "domain users"). on Linux, I
> made:
> >
> > mkdir /share/dir1
> > chown root:srv-admin /share/dir1
> > chmod 770 /share/dir1
> > ls -ld /share/dir1:
> > drwxrwx---. 4 root srv-admin 4096 Nov  9 15:36 /share/dir1
> >
> > When the user logs in via SSH, he can enter the directory and create
> files,
> > as expected. When the user mounts the share via CIFS, he can't enter the
> > directory or create files. Looks like Samba (looking at the logs) is
> seeing
> > just it's primary group (domain users), not the supplementary groups.
> >
> > Here is my smb.conf:
> >
> > [global]
> >     workgroup = MYDOMAIN
> >     realm = MYDOMAIN.ORG.BR
> >     security = ads
> >     idmap config MYDOMAIN:schema-mode rfc2307
> >     idmap config MYDOMAIN:range = 15777216-9999999999
> >     idmap config MYDOMAIN:backend = ad
> >     idmap config * : range = 1000-2000
> >     template shell = /bin/bash
> >     kerberos method = secrets only
> >     winbind use default domain = no
> >     winbind offline logon = false
> >     netbios name = SAMBA1
> >     server string = SAMBA1
> >     log level = 3
> >     log file = /var/log/samba/%m
> >     max log size = 50
> >     printcap name = cups
> >     winbind enum users = Yes
> >     winbind enum groups = Yes
> >     vfs objects = acl_xattr
> >     map acl inherit = Yes
> >     store dos attributes = Yes
> > [ibira]
> >     comment = Samba share
> >     path = /share
> >     browseable = yes
> >     read only = no
> >     valid users = +"Domain Users"
> >
> >
> > Again, I don't want to use "force group", "write list" etc directives on
> > the Samba share.
> Good, because you cannot use 'force group' etc
> >   What I need to do is make Samba understand the Linux
> > ACL's, as if the user was logged in via ssh.
> No, you want to, but logging in via SSH and Samba is different.
> >
> > What am I doing wrong?
> >
> Oh lots, one of which is that you only have one share and you are not
> only sharing it via Samba, you are also sharing it via NFS and they use
> different ACL's.
>
> Can I suggest you read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list