[Samba] old ACL on member server

Rowland Penny rpenny at samba.org
Fri Sep 30 20:33:30 UTC 2022

On 30/09/2022 21:12, Nicolas Canonne via samba wrote:
> Hi all,
> 2 ubuntu 20.04 servers : 1 DC, 1 FileServer
> DC as been setup with a fresh install
> FS was previousely setup as (unrecommanded) FileServer on DC (it was the 
> only server)
> FS uses EXT4
> (sorry I don't have smb.conf and links at hand right now)

Might help to see them.

> Old Samba files have been removed prior to re-install Samba on FS (samba 
> wiki)
> FS joigned domain OK, GPO and such are well applied, troubles occurs 
> with ACLs on FS
> Domain users/groups are well listed using getent passwd / group on FS
> It seems that old ACLs (with GUID in the 300 000 range used in previous 
> samba config) are still showing using getfacl

How did you copy the files to the new Unix domain member ?

The ID numbers in the 3000000 range are only used on a DC and are 
actually 'xidNumber' attributes stored in idmap.ldb on a DC. Unix domain 
members will use a winbind idmap backend, the 'ad' backend uses 
'uidNumber' & 'gidNumber' attributes stored in AD, you must add these, 
they are not created automatically. The 'autorid' & 'rid' backends 
calculates the user and group ID's from the user or group RID.

> 1) Is there a 'magic' way to remove these old ACL on file system and 
> restore default ones ?

It isn't the ACLs that are incorrect, it is the ownership and there 
aren't really any defaults.

> It looks like I should stop the shares on FS, create new folders and 
> configure them with correct ACLs,  tranfer old files to the new shares.

I take it that the files etc are still on the DC, you can probably use 
rsync to copy the files across, provided that the Unix domain member is 
set up correctly.


More information about the samba mailing list