[Samba] SaMBa 4.16.4 adds users to ACLs as groups

Rowland Penny rpenny at samba.org
Thu Jun 15 06:23:51 UTC 2023

On 14/06/2023 17:48, Tamás Németh via samba wrote:
> Dear Ralph and Rowland,
> OK, I've made some experiments to figure out if it's really a difference
> between SaMBa 4.6.5 and 4.16.4, but it's not. It's the difference between
> idmap backends idmap_tdb and idmap_rid! As I mentioned earlier, using
> different vfs_acl_* modules leads to different POSIX ACLs (
> https://lists.samba.org/archive/samba/2023-June/245479.html ). Is it REALLY
> intentional?
>   However, now I realized that using different idmap backends also leads to
> different NSS user/group resolutions which is probably even more weird.
> First I tried idmap_rid with SaMBa 4.16.4 and I observed
> that libnss_winbind is willing to resolve any user/group name to UID/GID
> and vice versa entirely disregarding the type (user of group) of the entity:

Hi Tamas,

Getting different ID's from different idmap backends is to be expected, 
because they all work differently,

The 'tdb' backend is an allocating backend.

The 'ad' backend requires the admin to supply uidNumber & gidNumber 

The 'rid' backend calculates the ID's from the Windows RID.

The 'autorid' backend works similarly to the 'rid' backend, but is meant 
for multiple domains and you will get different ID's compared with the 
'rid' backend.

There are other idmap backends, but they all work differently.

I cannot recommend using the 'tdb' backend for the main AD domain, I am 
not saying that it will not work, but there will be one big problem. As 
I said, 'tdb' is an allocating backend, this means that as a user or 
group connects to Samba, it is given an ID, which it retains, so far so 
good. However, if you create a new Samba server using exactly the same 
global smb.conf , you will not get the same ID's for the users & groups. 
There is a prime example of this on Samba AD DC's, where idmap.ldb 
(another allocating backend, only used on DC's) has to be synced between 
DC's to keep the same ID's.

What does this mean in practice ? Well, in my opinion, it means that you 
cannot reliably back up your data, you can back it up, but you cannot 
rely on what you backup belonging to the correct people if you restore it.

As Ralph pointed out, groups becoming users is all a feature of Windows, 
where groups can and do own files and folders. Samba in AD mode is 
trying its hardest to emulate Windows AD, so I do not expect Samba to 
break this feature. That isn't to say that Samba might not 'bend' the 
feature for Unix computers, say by providing parameters in smb.conf that 
turn off certain things on Samba machines, but this will require code, 
which means time and that, usually, means money.

If you feel that you have the coding experience and could write the 
required code, then patches will always be welcome.


More information about the samba mailing list