[Samba] samba-tool ntacl setting groups as users

Rowland Penny rpenny at samba.org
Tue May 13 11:11:41 UTC 2025 

On Tue, 13 May 2025 12:38:25 +0200
Steffen Wurm via samba <samba at lists.samba.org> wrote:

> Hallo
> 
> We are trying to migrate from an old Windows server to a Linux samba
> system. As we are also replacing the old AD, we exported the
> permissions as SDDLs from the old share and set them to the new
> system, using "samba-tool".
> 
> In general it seems to work quite well, but there is a strange
> behavior.
> 
> ----- -----
> root at smb-01:/# samba-tool ntacl set
> 'O:BAG:DUD:P(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-2875923508-401772753-1676531145-512)(A;OICI;0x1301bf;;;S-1-5-21-2875923508-401772753-1676531145-1260)'
> '/smb-01/abteilungen/hidden/Auszubildende/Intern' root at smb-01:/#
> getfacl '/smb-01/abteilungen/hidden/Auszubildende/Intern' getfacl:


If you are setting the permissions with samba-tool, why are you not
checking them with samba-tool. getfacl reads a different EA to
samba-tool.

> Removing leading '/' from absolute path names # file:
> smb-01/abteilungen/hidden/Auszubildende/Intern # owner: root # group:
> RS\\domain\040users user::rwx
> user:root:rwx
> user:RS\\domain\040admins:rwx     << domain admins should NOT be a
> user user:RS\\ld_auszubildende:rwx

Ah, but it is, especially on a Samba AD DC.

> group::---
> group:NT\040Authority\\system:rwx
> group:RS\\domain\040admins:rwx    << this is espected
> group:RS\\domain\040users:---
> group:RS\\ld_auszubildende:rwx
> mask::rwx
> [...defaults-list...]
> -----
> 
> When accessing this path via smb as RS\Administrator, I get an access
> denied. To fix that, either:
> - Another group has to get permissions, the Administrator is a member
> of ("domain admins" does not seem to work, here)
> - OR: Remove the "user:RS\\domain\040admins:rwx" ACL
> 
> Therefore I guess, "group:RS\\domain\040admins" is ignored, as
> "user:RS\\domain\040admins" is wrongfully defined.
> 
> Does anyone have an Idea, what might cause this issue? I am not 100%
> sure if this caused by samba-tool writing the ACLs the wrong way or
> smbd interpreting them wrong.
> 
> 
> Some further info:
> 
> root at smb-01:/# wbinfo -u | grep -i admin
> RS\administrator
> root at smb-01:/# wbinfo -g | grep -i admin
> RS\domain admins
> RS\dnsadmins
> RS\schema admins
> RS\enterprise admins
> root at smb-01:/# getent group 'RS\administrator'

What is 'smb-01' ?
Is an AD DC or a Unix domain member ?

Either way, please post your smb.conf file.

> RS\administrator:x:300500:RS\administrator
> root at smb-01:/# getent passwd 'RS\administrator'
> RS\administrator:*:300500:300513::/home/rs/administrator:/bin/bash
> root at smb-01:/#
> 
> We are using "rid" as the AD backend. My only guess, that samba-tool
> / set_nt_acl is checking the SID, if it can be found as user and/or
> group and writes whatever is being found.
> 
> Any ideas? Anyone ever ran into this issue, before?
> 
> My workaround would otherwise be, to kick all groups from being a
> user.

Good luck with that, especially if this is a DC.

Rowland

More information about the samba mailing list