[Samba] Acls

L.P.H. van Belle belle at bazuin.nl
Mon Sep 7 09:11:45 UTC 2020


Not that its wrong what Rowland made you change ( AD to RID backend). 
But this "should" simply not be needed. 

The only/mostly thing(s) people do wrong with AD-backends, is the order in how it all is setup. 
Currently this is due 2 things, 
1) "in my opionin" a missing part in samba(-tool) 
2) The missing part in samba(-tool) 
Lets hope this will enter samba in 4.13 then. 

If you use AD-backend the order is most important when you setup shares and set rights. 

# This is a must to set as first. 
samba-tool group addunixattrs ?Domain Users?  10001

# These are optional, but this is how i use it. 
(WARNING  !!! my setup is not exaclty like the WIKI, both work !! ) 
samba-tool group addunixattrs ?Domain Admins? 10000
samba-tool group addunixattrs ?Domain Guests? 10002

username map = /etc/samba/user.map
In here you put : BUILTIN\Administrators 

And you can happely use GID for Domain Admins. 
Windows defaults are: Domain Admins is member of BUILTIN\Administrators
Now this is out of scope with the Samba Wiki, but this is how I run my setup. 
All my SePrivileges set are base on "BUILTIN\Administrators" 
So, !root = BUILTIN\Administrators  is what i use. 

And then you add the UID to the users. 
samba-tool user addunixattrs username UID

samba-tool user addunixattrs someusers 10001
samba-tool user addunixattrs Administrator 10000
Yes, again i use UID on Administrator, (against Wiki setups recommendations )
Because, this "DOM\Adminsitrator is not BUILTIN\Administrator" and BUILTIN\Administrator is equal to root 

You pick your poision..  You cant mix the 2 setups. 
Because if you mix it, root and Dom\Adminstrator will conflict. 
Or you pick my setup, or you follow the Wiki Setup. 
Wiki setup, DONT SETUP ANY UID/GID on DOM\Adminsitrator or "Domain admins" 

So, the bigest problem here only with the UID/GIDS is.
You need to keep track of these numbers.. Which is pretty lame, 
Because its can be easy done within the AD. 

Only because it this above, and only because if that, 
i use a Windows 7 PC for Administring samba. 
Because ADUC does count the UID/GIDS for you. 

Now, the key here is .. ! In this order ! 
1) add a GID on "domain users". 
2) add gids on all groups you need on the file systems (thats the minimal requirement). 
   Do this BEFORE you set rights or change shares
3) add uids to all users, simpley a must. 
   It's adviced to keep "Domain Users" as primary group. 
	3a) Use security groups to allow/deny access. If you followed "domain users" is primary group.
	3b) Use the security groups you set as primary group. 
	Both then there own advantage and flaws.. 

5) Now you can add the needed stuff like. 
Like set the profile path to ?\\hostname.internal.example.com\profiles\%username%? 
Like set the HomeFolder (Driveletter: ) to ?\\hostname.internal.example.com\users\%username%? 

Use : getfacl 
DONT use : chmod/chown, it kills your Acls. 

Per example, if you set a right and you have backend AD on the member,
And you didnt add the GID to the group when you're using and setting ACLs. 

Use getfacl and look at the output, the group you want, is not shown. 
Add the GID you want, is not shown also. 

Now add the gid BEFORE you set the rights, and.. 
The group GID/name you want, IS shown. 

This all has todo with, when info is looked up and when ACLs on the filesystem are saved.

@above is also thanks to Bob Wooden being very patient to find some parts in my setup where people often fail. 
I gave way more insight, when and why parts are going wrong. 

I hope above helps people. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: zaterdag 5 september 2020 19:07
> Aan: Philip Offermans
> CC: sambalist
> Onderwerp: Re: [Samba] Acls
> On 05/09/2020 17:21, Philip Offermans wrote:
> > The output is:
> > /getent group 'domain admins? /
> > /
> > /
> OK, try using this smb.conf:
> [global]
>    workgroup = ROMPEN
>    security = ADS
>    realm = ROMPEN.LOCAL
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    winbind use default domain = yes
>    winbind expand groups = 2
>    winbind refresh tickets = Yes
>    dns proxy = no
>    idmap config *:backend = tdb
>    idmap config *:range = 3000-7999
>    idmap config ROMPEN:backend = rid
>    idmap config ROMPEN:range = 10000-40000
>    template shell = /bin/bash
>    template homedir = /home/%U
>    # user Administrator workaround, without it you are unable to set 
> privileges
>    username map = /etc/samba/user.map
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>    acl allow execute always = yes
> [share]
>     path = /nas
>     read only = no
>     inherit acls = yes
> [users]
>     path = /usr/home
>     comment = users share
>     read only = no
>     inherit acls = yes
>     inherit permissions = yes
>     create mask = 700
>     directory mask = 700
>     valid users = @"ROMPEN\Domain Users"
>     admin users = @"ROMPEN\Domain Admins"
> Create /etc/samba/user.map (it doesn't seem to exist) containing this:
> !root = ROMPEN\Administrator
> Restart Samba
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list