[Samba] Guides to AD integration using Win ACL and nested groups

Deas, Jim James.Deas at warnerbros.com
Mon Jun 28 14:23:34 UTC 2021

I am having issues understanding the options required to make Samba use native Windows ACLs. If I remove WinACL 'everybody' from a share's folder, it becomes unavailable even though AD group membership should allow it.

Currently I can use wbinfo to obtain all users and groups from Win AD which I believe confirms winbind is working correctly (using ad backend , should I be using rid?)
Currently running 'net rpc group list' I only see Guest, Administrators and Users. (Do I need to create local AD groups?)
Share is stored on an ext4fs with xattr and I see the security information being written to the folder and file xattr when changed from Windows's AD manager.

I'm sure I am crossing the streams here a bit, is there a good guide showing the use of Windows ACLs exclusively outside of sssd (including nested groups so I believe sssd is out)
I have downloaded 'Setting up a Share Using Windows ACLs" from the SambaWiki but I must be misinterpreting the contents.

Here is the config:

        workgroup = MYGROUP
        security = ADS
        realm = MYREALM.COM
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        server signing = no
        strict sync = no
        min protocol = SMB2
        ea support = yes

        log level = 1 auth:5 winbind:5
        log file = /var/log/samba.log
        idmap config * : backend = tdb
        idmap config * : range = 500 - 9999
        idmap config MYGROUP: backend = ad
        idmap config MYGROUP: range = 10000 - 999999
        username map = /etc/samba/user.map

        vfs objects = acl_xattr
        map acl inherit = yes

        fruit:aapl = yes

       winbind use default domain = yes
       winbind refresh tickets = yes
       winbind enum users = yes
       winbind enum groups = yes

        comment = test raid
        path= /raid/Media/Test
        writeable = yes
        fruit:resource = stream
        fruit:metadata = stream
        fruit:zero_file_id = yes
        vfs fruit streams_xattr acl_xattr
        acl_xattr:ignore system acl = yes
        veto files = /lost+found
        hide files = /lost+found


More information about the samba mailing list