[Samba] Issue with extended ACL's in 4.10.16

Rowland Penny rpenny at samba.org
Mon Sep 11 15:46:00 UTC 2023

On Mon, 11 Sep 2023 15:14:49 +0000
"Odell, Jack via samba" <samba at lists.samba.org> wrote:

> Hi,
> I'm having an issue with extended ACL permissions while upgrading
> from 4.6.2 to 4.10.16.
> When upgraded, the file permissions will only allow a user's primary
> GID to access the directory/file.
> For example:
> tuser is a member of secall and secoptions.
> secall is tuser's primary GID.
> A dir has an ACL set for secoptions:rwx
> tuser is unable to access the dir from a windows host
> Adding secall:rwx to the dir allows tuser to access the dir without
> issue.
> Trawled this document for a Boolean parameter this afternoon that
> would sort out this problem but came up blank: smb.conf
> (samba.org)<https://www.samba.org/~ab/output/htmldocs/manpages-3/smb.conf.5.html>
> Any help to shed some light on this is greatly appreciated.
> Current smb.conf file below:
> <config>
> [global]
>     realm = OPTIONS-IT.COM
>     workgroup = OPTIONS-IT
>     security = ads
>     kerberos method = dedicated keytab
>     dedicated keytab file
> = /etc/krb5.keytab /etc/krb5.keytab.stc.local template homedir
> = /home/%U idmap config * : backend = sss
>     idmap config * :  range = 57000-59000

I am sorry, but using sssd with Samba isn't really recommended by
anyone, including red-hat. I can help you set up Samba correctly, but
it is doubtful if you will get the same IDs.

Because you are using a version of RHEL, you should have a contract
with red-hat, perhaps they can give you more help.
There is also the problem that Samba 4.10.16 is EOL from the Samba
point of view.


More information about the samba mailing list