[Samba] Are those file and folder ACLs to be expected?

Z Z nirayah at gmail.com
Tue Oct 13 08:23:41 UTC 2020 

Hello.

I've got a working SAMBA AD server. I'm able to join both Linux (winbind)
and Windows clients. I have also joined an NAS that hosts some
shares/folders to be used by multiple machines (Linux and Windows 10). On
my Linux host I'm accessing the NAS via NFS mount, while on my Windows
machine obviously I'm using SMB.
I'm using the ad ID mapping backend with uId and gId that I'm managing
manually.
I have noticed something strange, though.
>From my Linux computer I created folder on the NAS:

mkdir TEST


The folder has it's ownership as *username:users *and mask 775 which is
what I want:

drwxrwxr-x   2 myname users    6 Oct 13 10:51 TEST


Afterwards I log in to my Windows 10 computer, access the same folder and
create a subfolder inside of it.
Coming back to my Linux machine I browse and check the newly created folder:

drwxrwxr-x+ 2 myname users 10 Oct 13 10:59 winfolder


Seems like the Windows-created folder has extended attributes. Let's check
them with *getfacl winfolder:*

# file: winfolder
> # owner: myname
> # group: users
> user::rwx
> user:11001119:r-x
> group::r-x
> group:users:r-x
> group:11001120:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:myname:rwx
> default:group::r-x
> default:group:users:r-x
> default:mask::rwx
> default:other::r-x


 Here it comes the confusion. Those IDs are the ones of my user (11001119)
and group (11001120). But I don't understand why on the second user line
I'm getting the uId, while on the *default:user:*  line the uId is being
resolved to my username?
Also why *group:users: *and *group:: *lines define only r-x permissions,
while *group:11001120 *is rwx? Is this an issue caused solely by creating
files/folders on Windows?

Next, what's the logic behind all the default lines? If there's any..

Could it be a misconfiguration on my side? Here's my AD server smb.conf:

[global]
>         netbios name = DOM
>         realm = SAM.DOM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         idmap config SAMDOM:unix_nss_info = yes
>         store dos attributes = Yes
>         allow dns updates = nonsecure
>         inherit permissions    = yes
>         inherit acls           = yes



And here's my Linux client smb.conf:

[global]
>
> security = ADS
> workgroup = SAMDOM
> realm = SAM.DOM
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM :schema_mode = rfc2307
> idmap config SAMDOM :range = 11000000-99999999
> idmap config SAMDOM :unix_nss_info = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
>
> winbind use default domain = yes



Thanks

More information about the samba mailing list