[Samba] windows acls

Peter Carlson peter at howudodat.com
Tue Dec 13 19:00:08 UTC 2022 

On 12/13/22 10:45, Rowland Penny via samba wrote:
> Is 'S-1-5-21-185628584-2620904409-2800336372' the domain SID ?
> Who or what is the RID 1105 ?

Not sure, how Can I determine that?


>
>>
>> 2) If inheritance is disabled, why do the folders in the share show 
>> inherited from P:\ ?
>>
>> 3) I am a member of Domain Users and Domain Admins.  I can see files 
>> in P:\ but I cant overwrite them or delete them.  It seems to be 
>> using the permissions of Domain Admins R+X and not Domain Users Full 
>> Control.  yes I know the permissions seem backwards, which is another 
>> issue, however shouldn't it allow me write access since I am also a 
>> member of Domain Users ?
>>
>> Thanks! Peter
>>
>
> Can you post the output of the following commands run on the machine 
> that holds the share:
>
> ls -lad /path/to/share/directory

Did the share point as well as one sub directory:


root at filesvr:~# ls -lad /data/FacilityPictures/
drwxrwxrwt+ 5 root root 4096 Dec  1 15:22 /data/FacilityPictures/

root at filesvr:~# ls -lad /data/FacilityPictures/*
drwxrwxr-x+ 2316 SDCP\peter   SDCP\domain admins   110592 Nov  4 11:19  
/data/FacilityPictures/Completed
drwxrwxr-x+    6 SDCP\ijenson SDCP\domain users      4096 Dec 13 10:42 
'/data/FacilityPictures/Encode Videos'
drwxrwxr-x+    4 SDCP\peter   SDCP\domain admins     4096 Sep 30 10:46 
'/data/FacilityPictures/Stock Images'
-rwxrwxr-x+    1 SDCP\peter   SDCP\domain admins 31156113 Aug 15 13:29  
/data/FacilityPictures/test_video.mp4

>
> getfacl /path/to/share/directory
root at filesvr:~# getfacl /data/FacilityPictures/
getfacl: Removing leading '/' from absolute path names
# file: data/FacilityPictures/
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
user:SDCP\\domain\040users:rwx
group::rwx
group:root:rwx
group:SDCP\\domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:SDCP\\domain\040users:rwx
default:group::r-x
default:group:root:r-x
default:group:SDCP\\domain\040users:rwx
default:mask::rwx
default:other::r-x

root at filesvr:~# getfacl /data/FacilityPictures/Completed
getfacl: Removing leading '/' from absolute path names
# file: data/FacilityPictures/Completed
# owner: SDCP\\peter
# group: SDCP\\domain\040admins
user::rwx
user:SDCP\\domain\040admins:r-x
user:SDCP\\domain\040users:rwx
group::r-x
group:SDCP\\domain\040admins:r-x
group:SDCP\\domain\040users:rwx
group:2001105:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:SDCP\\domain\040users:rwx
default:user:SDCP\\peter:rwx
default:group::r-x
default:group:SDCP\\domain\040admins:r-x
default:group:SDCP\\domain\040users:rwx
default:mask::rwx
default:other::r-x

>
> samba-tool ntacl get /path/to/share/directory --as-sddl
root at filesvr:~# samba-tool ntacl get  /data/FacilityPictures/ --as-sddl
O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;DU)

root at filesvr:~# samba-tool ntacl get /data/FacilityPictures/Completed 
--as-sddl
O:S-1-5-21-185628584-2620904409-2800336372-1105G:DAD:AI(A;ID;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-1105)(A;OICIIOID;0x001f01ff;;;CO)(A;ID;0x001200a9;;;DA)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001200a9;;;WD)(A;OICIID;0x001f01ff;;;DU)


>
> Can you also post the smb.conf from the same machine.

Sanitized (and yes I know I shouldn't use .local, dont have the 
permission yet to change that historical mess)

root at filesvr:~# cat /etc/samba/smb.conf
[global]
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d

server role = member server
template homedir = /home/%U@%D
template shell = /bin/bash

usershare allow guests = yes
kerberos method = secrets and keytab

security = ads
idmap config SDCP : range = 2000000-2999999
idmap config SDCP : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind refresh tickets = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = yes
realm = SA***NT.LOCAL
workgroup = SDCP
winbind use default domain = no
winbind enum groups = no
winbind enum users = no

#======================= Share Definitions =======================
[FacilityPictures]
     path = /data/FacilityPictures
     comment = Facility Pictures
     writable = yes

>
> Rowland
>

More information about the samba mailing list