[Samba] samba-tool ntacl setting groups as users

Steffen Wurm steffen.wurm at resol.de
Tue May 13 10:38:25 UTC 2025 

Hallo

We are trying to migrate from an old Windows server to a Linux samba system.
As we are also replacing the old AD, we exported the permissions as SDDLs from the old share and set them to the new system, using "samba-tool".

In general it seems to work quite well, but there is a strange behavior.

----- -----
root at smb-01:/# samba-tool ntacl set 'O:BAG:DUD:P(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-2875923508-401772753-1676531145-512)(A;OICI;0x1301bf;;;S-1-5-21-2875923508-401772753-1676531145-1260)' '/smb-01/abteilungen/hidden/Auszubildende/Intern'
root at smb-01:/# getfacl '/smb-01/abteilungen/hidden/Auszubildende/Intern'
getfacl: Removing leading '/' from absolute path names
# file: smb-01/abteilungen/hidden/Auszubildende/Intern
# owner: root
# group: RS\\domain\040users
user::rwx
user:root:rwx
user:RS\\domain\040admins:rwx     << domain admins should NOT be a user
user:RS\\ld_auszubildende:rwx
group::---
group:NT\040Authority\\system:rwx
group:RS\\domain\040admins:rwx    << this is espected
group:RS\\domain\040users:---
group:RS\\ld_auszubildende:rwx
mask::rwx
[...defaults-list...]
-----

When accessing this path via smb as RS\Administrator, I get an access denied. To fix that, either:
- Another group has to get permissions, the Administrator is a member of ("domain admins" does not seem to work, here)
- OR: Remove the "user:RS\\domain\040admins:rwx" ACL

Therefore I guess, "group:RS\\domain\040admins" is ignored, as "user:RS\\domain\040admins" is wrongfully defined.

Does anyone have an Idea, what might cause this issue? I am not 100% sure if this caused by samba-tool writing the ACLs the wrong way or smbd interpreting them wrong.


Some further info:

root at smb-01:/# wbinfo -u | grep -i admin
RS\administrator
root at smb-01:/# wbinfo -g | grep -i admin
RS\domain admins
RS\dnsadmins
RS\schema admins
RS\enterprise admins
root at smb-01:/# getent group 'RS\administrator'
RS\administrator:x:300500:RS\administrator
root at smb-01:/# getent passwd 'RS\administrator'
RS\administrator:*:300500:300513::/home/rs/administrator:/bin/bash
root at smb-01:/#

We are using "rid" as the AD backend. My only guess, that samba-tool / set_nt_acl is checking the SID, if it can be found as user and/or group and writes whatever is being found.

Any ideas? Anyone ever ran into this issue, before?

My workaround would otherwise be, to kick all groups from being a user.


Best Regards
Steffen


-- 
Steffen Wurm
Administration Informationstechnologie

Tel.: +49 (0) 23 24 / 96 48-845
E-Mail: steffen.wurm at resol.de
www: https://www.resol.de

-------------------------------------------------------------------------------
RESOL - Elektronische Regelungen GmbH
Heiskampstr. 10
45527 Hattingen / Germany
Geschäftsführer: Isabel Pfeil, Marcel Pfeil, Rudolf Pfeil
Amtsgericht - Registergericht - Essen - HRB 15674
-------------------------------------------------------------------------------

More information about the samba mailing list