[Samba] Permission acl problem.

Jan JMPBL jmpblto at gmail.com
Tue Jul 6 08:50:02 UTC 2021 

Hi again.
samba AD works fine together with updating DNS entries.

Now I have created a virtual machine to create a Samba based file server.
Debian 10 + repositories (Louis van Belle)

Samba as a member has been added to the domain without any problems. All
services are working fine (krb5, winbind)

All domain users are available on Debian
root @ lab: ~ # getent passwd mac.tro
mac.tro: *: 11148: 10513: Mac Tro:/home/TEST/mac.tro:/bin/false

root @ lab: ~ # net rpc rights list privileges SeDiskOperatorPrivilege -U
"TEST\administrator"
Enter GT \ administrator's password:
SeDiskOperatorPrivilege:
  BUILTIN \ Administrators
  TEST \ Domain Admins
  TEST \ Unix Admins

The problem is that any user from each group can change or remove the
permissions of any other user or group in the security tab. (also
administrator)

Where to find the problem?

smb.conf

# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
#
log level = 1

# netbios name = By default this is "hostname -s" but in caps.
realm = TEST.LAN
workgroup = TEST
security = ADS

# set master browser for the network.
# preffered + domain master = yes = guarantee master browser ( man smb.conf
)
# ! There can only be ONE master browser.
preferred master = no
domain master = no

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 100000-299999

## map ids from the domain  the range may not overlap !
idmap config TEST : backend = rid
idmap config TEST : range = 10000-999999
idmap config TEST : unix_nss_info = yes

# Renew the kerberos tickets
winbind refresh tickets = yes

# Enable offline logins
winbind offline logon = yes

# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307

# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes
#winbind trusted domains only = no

# Keep no in production, set yes when debugging, this slows down your samba.
winbind enum users  = no
winbind enum groups = no

# Check depth of nested groups, ! slows down you samba, if to much groups
depth
# Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4.
winbind expand groups = 4

# User Administrator workaround, without it you are unable to set privileges
# !Note: When using the AD ID mapping back end, do not set the uidNumber
attribute for the domain administrator account.
# If the account has the attribute set, the value overrides the local UID 0
of the root user and thus the mapping fails.
username map = /etc/samba/samba_usermapping

# disable usershares creating, when set empty no error log messages.
usershare path =

# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
#store dos attributes = yes

# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes

#client use spnego = yes
#client ntlmv2 auth = yes

######## SHARE DEFINITIONS ################

[test]
    browseable = yes
    path = /data/0_sk
    read only = no
    acl_xattr:ignore system acl = yes

Thanks
Janek

More information about the samba mailing list