samba - Aug 2007 - setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ?

Hi all,

I have "FreeBSD 7.0-CURRENT #1: Wed Jul 25" authenticating
successfully against
active directory via samba's winbindd(8). I need to manage samba shares via
FreeBSD ACLs and CIFS ACLs. From my reading of setfacl(1) I should be able to
set group permissions using the syntax of DOMAIN\group-name. For example:

   #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test

However, when I do this on FreeBSD -CURRENT I get the following error:

   #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test
    setfacl: g:MYDOMAIN\mygroupname: Invalid argument
>From a quick Google it looks like Linux ACLs can do the aforementioned
[http://www.techtutorials.net/blogs/index.php?mode=viewuser&user_id=7].

Is anyone successfully managing there Samba shares via NT/AD groups using
FreeBSD ACLs ?

 -aW

IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT
1914.  If you have received this email in error, you are requested to contact
the sender and delete the email.

On Mon, Aug 06, 2007 at 05:27:50PM +0800, Wilkinson, Alex wrote:
 
> I have "FreeBSD 7.0-CURRENT #1: Wed Jul 25" authenticating
successfully against
> active directory via samba's winbindd(8). I need to manage samba shares
via
> FreeBSD ACLs and CIFS ACLs. From my reading of setfacl(1) I should be able
to
> set group permissions using the syntax of DOMAIN\group-name. For example:
> 
>    #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test
> 
> However, when I do this on FreeBSD -CURRENT I get the following error:
> 
>    #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test
>     setfacl: g:MYDOMAIN\mygroupname: Invalid argument
> 
> >From a quick Google it looks like Linux ACLs can do the aforementioned
> [http://www.techtutorials.net/blogs/index.php?mode=viewuser&user_id=7].
> 
> Is anyone successfully managing there Samba shares via NT/AD groups using
> FreeBSD ACLs ?
 

FreeBSD ACLs work, as well.

     sambaserver# mkdir z-test
     sambaserver# chown gbytest:users z-test/
     sambaserver# getfacl z-test/
     #file:z-test/
     #owner:1361
     #group:100
     user::rwx
     group::r-x
     mask::r-x
     other::r-x
     sambaserver# setfacl -m u:ADDOMAIN\\gbytest:rwx,g:ADDOMAIN\\domain\
users:rx z-test/
     sambaserver# getfacl z-test/
     #file:z-test/
     #owner:1361
     #group:100
     user::rwx
     user:gbytest:rwx
     group::r-x
     group:domain users:r-x
     mask::rwx
     other::r-x
     sambaserver#

This is on 6-STABLE, but it has worked on CURRENT also (though I don't have
a
machine running now), configured using idmap_rid (and 'winbind use default
domain = yes').

At some point in the past when I was testing, I saw the same sort of errors
as above.  This was before I set idmap_rid (and configured samba with
experimental
modules), so it may have been related to this change.

Do the domain users/groups show up using 'id' and 'wbinfo'?


-- 
greg byshenk  -  gbyshenk@byshenk.net  -  Leiden, NL