[Samba] samba-tool ntacl setting groups as users

Steffen Wurm steffen.wurm at resol.de
Tue May 13 13:59:09 UTC 2025 

On 13.05.25 13:11, Rowland Penny via samba wrote:
> On Tue, 13 May 2025 12:38:25 +0200
> Steffen Wurm via samba <samba at lists.samba.org> wrote:
>> We are trying to migrate from an old Windows server to a Linux samba
>> system. As we are also replacing the old AD, we exported the
>> permissions as SDDLs from the old share and set them to the new
>> system, using "samba-tool".
>>
>> In general it seems to work quite well, but there is a strange
>> behavior.
> 
> If you are setting the permissions with samba-tool, why are you not
> checking them with samba-tool. getfacl reads a different EA to
> samba-tool.

You are totally right. I did not check that, also I noted that the user was able to access the directory on the filesystem itself - samba therefore has to handle the ACLs differently.

Primarily I was testing access with the domain admin via Windows/smb, when hitting this problem.
The permissions via "samba-tool ntacl get" for the DA/domain admin seem fine to me. Looks like any directory related permission is being given.

root at smb-01:/# samba-tool ntacl set 'O:BAG:DUD:P(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-2875923508-401772753-1676531145-512)(A;OICI;0x1301bf;;;S-1-5-21-2875923508-401772753-1676531145-1260)' '/smb-01/abteilungen/hidden/Auszubildende/Intern'
root at smb-01:/# samba-tool ntacl get '/smb-01/abteilungen/hidden/Auszubildende/Intern' --as-sddl
O:BAG:DUD:P(A;OICIIO;RPWPCRCCDCLCLODTSW;;;CO)(A;OICI;RPWPCRCCDCLCLODTSW;;;SY)(A;OICI;RPWPCRCCDCLCLODTSW;;;DA)(A;OICI;0x001301bf;;;S-1-5-21-2875923508-401772753-1676531145-1260)
root at smb-01:/#

root at dc-01:~# samba-tool group show 'domain admins' | grep -i sid
objectSid: S-1-5-21-2875923508-401772753-1676531145-512


Kicking the "user:RS\domain admin" acl, will result in a much different permission set. However, DA is now getting "full control" (0x001f01ff/2032127), if I am not mistaken. Therefore I guess, both scenarios should work.

root at smb-01:/# setfacl -x "d:user:RS\\domain admins" '/smb-01/abteilungen/hidden/Auszubildende/Intern'
root at smb-01:/# setfacl -x "user:RS\\domain admins" '/smb-01/abteilungen/hidden/Auszubildende/Intern'
root at smb-01:/# samba-tool ntacl get '/smb-01/abteilungen/hidden/Auszubildende/Intern' --as-sddl
O:S-1-22-1-0G:DUD:(A;OICI;0x001f01ff;;;S-1-22-1-0)(A;OICI;0x001f01ff;;;S-1-5-21-2875923508-401772753-1676531145-1260)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;S-1-5-21-2875923508-401772753-1676531145-1260)(A;OICI;;;;DU)(A;OICI;;;;WD)(A;;;;;DU)(A;;0x001f01ff;;;S-1-22-1-0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)


 >> getfacl '/smb-01/abteilungen/hidden/Auszubildende/Intern' getfacl:
>> Removing leading '/' from absolute path names # file:
>> smb-01/abteilungen/hidden/Auszubildende/Intern # owner: root # group:
>> RS\\domain\040users user::rwx
>> user:root:rwx
>> user:RS\\domain\040admins:rwx     << domain admins should NOT be a
>> user user:RS\\ld_auszubildende:rwx
> 
> Ah, but it is, especially on a Samba AD DC.

It did not come to my mind, this could be on purpose, cause deleting it, fixed my issues.

>> When accessing this path via smb as RS\Administrator, I get an access
>> denied. To fix that, either:
>> - Another group has to get permissions, the Administrator is a member
>> of ("domain admins" does not seem to work, here)
>> - OR: Remove the "user:RS\\domain\040admins:rwx" ACL
> 
> What is 'smb-01' ?
> Is an AD DC or a Unix domain member ?

smb-01 is our file server, attached to the domain controllers (dc-01 and dc-02). So it is just a member. smb.confs are posted at the end.

> Either way, please post your smb.conf file.
 >
>> My workaround would otherwise be, to kick all groups from being a
>> user.
> 
> Good luck with that, especially if this is a DC.

This makes me nervous. My target was to only kick posix-ACLs that were given as user-ACLs for groups within shares.
So I hope it is just a misconfiguration at my end.

> Rowland

Thank you :)


----- file server - /etc/samba/smb.conf -----
[global]
security = ADS
workgroup = RS
realm = RS.INTERNAL
log file = /var/log/samba/%m.log
log level = 1
server role = member server
idmap config *: backend = tdb
idmap config *: range = 3000-7999
idmap config RS:backend = rid
idmap config RS:range = 300000-999999
idmap config RS:unix_nss_info = False
idmap config RS:unix_primary_group = False
vfs objects = acl_xattr streams_xattr shadow_copy2
map acl inherit = yes
inherit permissions = yes
force group = nogroup
store dos attributes = yes
template shell = /bin/bash
template homedir = /home/rs/%U

[abteilungen]
path = /smb-01/abteilungen
browseable = yes
read only = no
guest ok = no
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:format = backup-%Y%m%d%H%M%S
shadow:localtime = yes

[dhl]
path = /smb-01/prozesse/dhl
browseable = yes
read only = no
guest ok = no
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:format = backup-%Y%m%d%H%M%S
shadow:localtime = yes

[dokumente-dokku]
path = /smb-01/prozesse/dokumente-dokku
browseable = yes
read only = no
guest ok = no
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:format = backup-%Y%m%d%H%M%S
shadow:localtime = yes
-----


----- domain controller - /etc/samba/smb.conf -----
[global]
tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-SSL3.0
dns forwarder = 192.168.4.4 192.168.4.8
tls enabled = yes
tls keyfile = tls/dc-01.resol.de_key.pem
tls certfile = tls/dc-01.resol.de_crt.pem
tls cafile =
netbios name = DC-01
realm = RS.INTERNAL
server role = active directory domain controller
workgroup = RS
# rfc2307 prepared, but not in use ATM. RD was more comfortable.
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/rs.internal/scripts
read only = No
-----


Samba 4.17.12 (on debian 12, kernel 6.1.0-33-amd64) is being used on all samba servers.


Kind Regards
Steffen



-- 
Steffen Wurm
Administration Informationstechnologie

Tel.: +49 (0) 23 24 / 96 48-845
E-Mail: steffen.wurm at resol.de
www: https://www.resol.de

-------------------------------------------------------------------------------
RESOL - Elektronische Regelungen GmbH
Heiskampstr. 10
45527 Hattingen / Germany
Geschäftsführer: Isabel Pfeil, Marcel Pfeil, Rudolf Pfeil
Amtsgericht - Registergericht - Essen - HRB 15674
-------------------------------------------------------------------------------

More information about the samba mailing list