[Samba] samba-tool ntacl setting groups as users

Rowland Penny rpenny at samba.org
Tue May 13 15:32:07 UTC 2025 

On Tue, 13 May 2025 15:59:09 +0200
Steffen Wurm <steffen.wurm at resol.de> wrote:

> On 13.05.25 13:11, Rowland Penny via samba wrote:
> > On Tue, 13 May 2025 12:38:25 +0200
> > Steffen Wurm via samba <samba at lists.samba.org> wrote:
> >> We are trying to migrate from an old Windows server to a Linux
> >> samba system. As we are also replacing the old AD, we exported the
> >> permissions as SDDLs from the old share and set them to the new
> >> system, using "samba-tool".
> >>
> >> In general it seems to work quite well, but there is a strange
> >> behavior.
> > 
> > If you are setting the permissions with samba-tool, why are you not
> > checking them with samba-tool. getfacl reads a different EA to
> > samba-tool.
> 
> You are totally right. I did not check that, also I noted that the
> user was able to access the directory on the filesystem itself -
> samba therefore has to handle the ACLs differently.
> 
> Primarily I was testing access with the domain admin via Windows/smb,
> when hitting this problem. The permissions via "samba-tool ntacl get"
> for the DA/domain admin seem fine to me. Looks like any directory
> related permission is being given.
> 
> root at smb-01:/# samba-tool ntacl set
> 'O:BAG:DUD:P(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-2875923508-401772753-1676531145-512)(A;OICI;0x1301bf;;;S-1-5-21-2875923508-401772753-1676531145-1260)'
> '/smb-01/abteilungen/hidden/Auszubildende/Intern' root at smb-01:/#
> samba-tool ntacl get
> '/smb-01/abteilungen/hidden/Auszubildende/Intern' --as-sddl
> O:BAG:DUD:P(A;OICIIO;RPWPCRCCDCLCLODTSW;;;CO)(A;OICI;RPWPCRCCDCLCLODTSW;;;SY)(A;OICI;RPWPCRCCDCLCLODTSW;;;DA)(A;OICI;0x001301bf;;;S-1-5-21-2875923508-401772753-1676531145-1260)
> root at smb-01:/#
> 
> root at dc-01:~# samba-tool group show 'domain admins' | grep -i sid
> objectSid: S-1-5-21-2875923508-401772753-1676531145-512
>

OK, a bit of background here, Samba AD DCs use what is known as the
idmap.ldb backend, that is Windows domain users, groups and computer
SIDs are mapped, on  a first come basis, to 'xidNumber' attributes in
idmap.ldb, these 'xidNumbers' start at 3000000 and are only used on AD
DCs. There is a problem here, as I said, they are mapped on a first
come basis, so you will get different IDs on each DC, this is why you
need to sync idmap.ldb from the first DC to all others.

Windows does something that Unix doesn't, it allows groups to 'own'
things, just like a user. This is required on a Samba DC, so when
Domain Admins is mapped to an xidNumber, it is also mapped as
ID_TYPE_BOTH.

You are using the 'rid' idmap backend on your Unix domain member, this
works by calculating the Unix ID from the Accounts RID, using this
calculation: ID = RID + LOW_RANGE_ID

Which from the smb.conf you supplied, becomes:

ID = 512 + 300000

DOMAIN Admins ID = 300512

I also use the rid idmap backend (with a range start of 10000) and if I
run 'getent group Domain\ Admins', I get this:

domain admins:x:10512:COMMA_SEPARATED_LIST_OF_GROUP_MEMBERS

But Samba also has another trick, if I run 'getent passwd Domain\
Admins', I get this:

domain admins:*:10512:10512::/home/domain admins:/bin/bash

Now we come to the sddl you set with samba-tool, broken down to make it
slightly easier to read, it is this:

O:BAG:DUD:P
(A;OICIIO;FA;;;CO)
(A;OICI;FA;;;SY)
(A;OICI;FA;;;S-1-5-21-2875923508-401772753-1676531145-512)
(A;OICI;0x1301bf;;;S-1-5-21-2875923508-401772753-1676531145-1260)


The first line is the owner and the group and some other data, that
while it is relevant, for the purposes of this we can ignore: 'BA' is
BUILTIN Administrators #NOTE: this is a group not the user
'Administrator', 'DU' is Domain Users

The next four are ACES for (in order):
'CO' CREATOR_OWNER
'SY' SYSTEM
'512' Domain Admins
'1260' ???? no idea, it is your AD

The first three get full control and the last gets 'Modify' permissions

Now when you check these permissions, you get this (again broken down
to read easier):

O:BAG:DUD:P
(A;OICIIO;RPWPCRCCDCLCLODTSW;;;CO)
(A;OICI;RPWPCRCCDCLCLODTSW;;;SY)
(A;OICI;RPWPCRCCDCLCLODTSW;;;DA)
(A;OICI;0x001301bf;;;S-1-5-21-2875923508-401772753-1676531145-1260)

Which on the face of it, is different, but is it ?

'RPWPCRCCDCLCLODTSW' is another way of saying 'FA' or 'Generic All'

So what you are setting and getting back appear to be the same.

Samba will then use that SDDL to set the ACLs on the underlying
filesystem, which will get you the best possible permissions on Linux,
however, I also noticed lines like this:

shadow:snapdir = .zfs/snapshot

Are you using ZFS ?
If so, then this possibly could be your problem, there have been other
reports on this list about problems using ZFS.

Rowland

More information about the samba mailing list