Hi all, I have a server that has ACL's enabled on it and the groups are set properly from the domain that are applied on top of it for the shared folders. I am running with Mac OS X 10.10.5 on the client side and am having nothing but issues with getting them to respect the ACL's set on the files. The Server Setup is as follows: Domain Server: Debian 7.9 with Samba 4.3.4 Member Server: Debian 7.9 with Samba 4.3.4 SSSD - Version 1.8.4 Here is the output of my smb.conf file: ----------------------------------------------------------------------------------------------------------------- [global] netbios name = fs workgroup = AUTH security = ADS realm = AUTH.DOMAIN.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config AUTH:backend = ad idmap config AUTH:schema_mode = rfc2307 idmap config AUTH:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind cache time = 40 # vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user_map socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 unix extensions = no [Groups] path = /Groups guest ok = yes browseable = yes writeable = yes read only = no admin users = "Domain Admins" inherit permissions = Yes inherit acls = Yes ----------------------------------------------------------------------------------------------------------------- Here is the output of my sssd.conf file ----------------------------------------------------------------------------------------------------------------- [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://dc01.auth.domain.com ldap_search_base = dc=auth,dc=domain,dc=com ldap_force_upper_case_realm = true # See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad # Enumeration is discouraged for performance reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = dc01$@AUTH.DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_group_object_class = group ----------------------------------------------------------------------------------------------------------------- Here is the getfacl on my Folder that I'm trying to get to respect ACL's on for the Macs: getfacl /Groups/Digital\ Magazine/ getfacl: Removing leading '/' from absolute path names # file: Groups/Digital Magazine/ # owner: root # group: DigiMag user::rwx user:Administrator:rwx group::r-x group:Domain\040Admins:rwx group:DigiMag:rwx mask::rwx other::r-x default:user::rwx default:user:Administrator:rwx default:group::r-x default:group:Domain\040Admins:rwx default:group:DigiMag:rwx default:mask::rwx default:other::r-x ----------------------------------------------------------------------------------------------------------------- As you can see, the group: DigiMag has rwx on the folder. However when I create a file, the settings get changed to the group "DigiMag" as only having r-- access on the file root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx # file: ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx user:Administrator:r-- user:ftester:rwx group::r-- group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r-- ----------------------------------------------------------------------------------------------------------------- This also happens if I set an ACL on the file and give explicit access for the users. If I have 2 users (ftester, and zeddy) and give them full rwx access to the file(s), as soon as one of them opens up the files and saves it the ACL is over written and only the first user to open and save the files then has access to it. They take over ownership of the file(s) as well as change the access to the files to be r-- for both the group (DigiMag) and the user (zeddy) ----------------------------------------------------------------------------------------------------------------- root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx # file: ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx user:Administrator:r-- user:ftester:rwx user:zeddy:r-- group::r-- group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r-- ----------------------------------------------------------------------------------------------------------------- The Macs are all Mac OS X 10.10.5 and newer, are all bound to the Domain, and all logon to the domain with a username. If I do an ID on a user, it shows the proper groups that they are a part of, from both the linux server and the mac server. I am using the UNIX extensions and it all seems to work fine. id ftester uid=333345(ftester) gid=20023(Domain Users) groups=20023(Domain Users),20003(Adv_Art),20021(web),20012(MandD),20008(DigiMag),20004(circ) uid=333346(zeddy) gid=20023(Domain Users) groups=20023(Domain Users),20012(MandD),20008(DigiMag) ----------------------------------------------------------------------------------------------------------------- Everything seemingly works as far as I can tell. I can run a kinit and it works fine, When I login on a mac as a network based user, I get my proper kerberos tickets and access to the folders that I'm supposed to have access to based on my groups in Samba DC. I can't for the life of me figure out how I can get the file shares to give full access rwx to the files on the server. If someone could please please help me out, I would greatly appreciate it and will provide any information that you I might have missed. Thank you for your time, -- David
Am 02.02.2016 um 21:13 schrieb David Thompson:> I have a server that has ACL's enabled on it and the groups are set properly from the domain that are applied on top of it for the shared folders. I am running with Mac OS X 10.10.5 on the client side and am having nothing but issues with getting them to respect the ACL's set on the files.i gave up with OSX finder and ACL's on Linux machines in 2009 a smart operating system (OSX is not of that kind) would simply try to save or open a file and be happy if it was sucessful, Finder is caching informations without properly understand them and blocks without ever try to save or open something even when it would have all permissions on the serverside the same with Finder and Netatalk frankly i gave up, stepped back to unix permissions, re-organized storage strcutures so that the group has the needed permissions and the whole share has the same permissions "inherit permissions = yes" in smb.conf and you are fine -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160202/655cedbd/signature.sig>
On 02/02/16 20:13, David Thompson wrote:> Hi all, > > > I have a server that has ACL's enabled on it and the groups are set properly from the domain that are applied on top of it for the shared folders. I am running with Mac OS X 10.10.5 on the client side and am having nothing but issues with getting them to respect the ACL's set on the files. > > > The Server Setup is as follows: > > > Domain Server: Debian 7.9 with Samba 4.3.4 > > > Member Server: > Debian 7.9 with Samba 4.3.4 > SSSD - Version 1.8.4 > > > Here is the output of my smb.conf file: > > > ----------------------------------------------------------------------------------------------------------------- > [global] netbios name = fs workgroup = AUTH security = ADS realm = AUTH.DOMAIN.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config AUTH:backend = ad idmap config AUTH:schema_mode = rfc2307 idmap config AUTH:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind cache time = 40 # vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user_map socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 unix extensions = no [Groups] path = /Groups guest ok = yes browseable = yes writeable = yes read only = no admin users = "Domain Admins" inherit permissions = Yes inherit acls = Yes > > ----------------------------------------------------------------------------------------------------------------- > > > Here is the output of my sssd.conf file > > > > ----------------------------------------------------------------------------------------------------------------- > > > [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://dc01.auth.domain.com ldap_search_base = dc=auth,dc=domain,dc=com ldap_force_upper_case_realm = true # See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad # Enumeration is discouraged for performance reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = dc01$@AUTH.DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_group_object_class = group > > > > ----------------------------------------------------------------------------------------------------------------- > > > Here is the getfacl on my Folder that I'm trying to get to respect ACL's on for the Macs: > > > > getfacl /Groups/Digital\ Magazine/ > getfacl: Removing leading '/' from absolute path names > # file: Groups/Digital Magazine/ > # owner: root > # group: DigiMag > user::rwx > user:Administrator:rwx > group::r-x > group:Domain\040Admins:rwx > group:DigiMag:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:Administrator:rwx > default:group::r-x > default:group:Domain\040Admins:rwx > default:group:DigiMag:rwx > default:mask::rwx > default:other::r-x > > > > ----------------------------------------------------------------------------------------------------------------- > > > As you can see, the group: DigiMag has rwx on the folder. > > > However when I create a file, the settings get changed to the group "DigiMag" as only having r-- access on the file > > > root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx # file: ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx user:Administrator:r-- user:ftester:rwx group::r-- group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r-- > > > > ----------------------------------------------------------------------------------------------------------------- > > > This also happens if I set an ACL on the file and give explicit access for the users. If I have 2 users (ftester, and zeddy) and give them full rwx access to the file(s), as soon as one of them opens up the files and saves it the ACL is over written and only the first user to open and save the files then has access to it. They take over ownership of the file(s) as well as change the access to the files to be r-- for both the group (DigiMag) and the user (zeddy) > > > ----------------------------------------------------------------------------------------------------------------- > root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx # file: ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx user:Administrator:r-- user:ftester:rwx user:zeddy:r-- group::r-- group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r-- > ----------------------------------------------------------------------------------------------------------------- > > > The Macs are all Mac OS X 10.10.5 and newer, are all bound to the Domain, and all logon to the domain with a username. If I do an ID on a user, it shows the proper groups that they are a part of, from both the linux server and the mac server. I am using the UNIX extensions and it all seems to work fine. > > > id ftester uid=333345(ftester) gid=20023(Domain Users) groups=20023(Domain Users),20003(Adv_Art),20021(web),20012(MandD),20008(DigiMag),20004(circ) > > > uid=333346(zeddy) gid=20023(Domain Users) groups=20023(Domain Users),20012(MandD),20008(DigiMag) > > > > ----------------------------------------------------------------------------------------------------------------- > > > > > > > Everything seemingly works as far as I can tell. I can run a kinit and it works fine, When I login on a mac as a network based user, I get my proper kerberos tickets and access to the folders that I'm supposed to have access to based on my groups in Samba DC. > > > I can't for the life of me figure out how I can get the file shares to give full access rwx to the files on the server. > > > If someone could please please help me out, I would greatly appreciate it and will provide any information that you I might have missed. > Thank you for your time, > > > > -- > > > David > > >As you are using sssd for authentication, you may get better help from the sssd mailing list, if however you decide to use winbind instead, I can help you with that. Rowland
I've reverted my test box fs back to winbindd and taken sssd out of the mix. I'd love some more help on this as its now faring better in testing than sssd with the macs, however I can set the users to be looked up but I'm having issues with having the names of the groups show up. It seems to be working however its now showing the GIDs as opposed to the group names. For instance digimag is now showing on the folder as 20008 but if I do a chgrp to something else and then change it back it digimag with chown -R digimag it shows up as the numberic association and not the actual group name. I don't think its looking up the groups properly. Where would I look for that. If I issue a wbinfo -g it returns all the groups properly as does a getent group Thank you -- David From: Rowland penny <rpenny at samba.org> To: <samba at lists.samba.org> Sent: 2/2/2016 3:26 PM Subject: Re: [Samba] Mac OS X and ACL's On 02/02/16 20:13, David Thompson wrote:> Hi all, > > > I have a server that has ACL's enabled on it and the groups are set properly from the domain that are applied on top of it for the shared folders. I am running with Mac OS X 10.10.5 on the client side and am having nothing but issues with getting them to respect the ACL's set on the files. > > > The Server Setup is as follows: > > > Domain Server: Debian 7.9 with Samba 4.3.4 > > > Member Server: > Debian 7.9 with Samba 4.3.4 > SSSD - Version 1.8.4 > > > Here is the output of my smb.conf file: > > > ----------------------------------------------------------------------------------------------------------------- > [global] netbios name = fs workgroup = AUTH security = ADS realm = AUTH.DOMAIN.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config AUTH:backend = ad idmap config AUTH:schema_mode = rfc2307 idmap config AUTH:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind cache time = 40 # vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user_map socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 unix extensions = no [Groups] path = /Groups guest ok = yes browseable = yes writeable = yes read only = no admin users = "Domain Admins" inherit permissions = Yes inherit acls = Yes > > ----------------------------------------------------------------------------------------------------------------- > > > Here is the output of my sssd.conf file > > > > ----------------------------------------------------------------------------------------------------------------- > > > [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] id_provider = ldap ldap_schema = rfc2307bis ldap_referrals = false ldap_uri = ldap://dc01.auth.domain.com ldap_search_base = dc=auth,dc=domain,dc=com ldap_force_upper_case_realm = true # See man sssd-simple access_provider = simple # Uncomment to check for account expiration in DC # access_provider = ldap # ldap_access_order = expire # ldap_account_expire_policy = ad # Enumeration is discouraged for performance reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = dc01$@AUTH.DOMAIN.COM krb5_realm = AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd = dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_shell = loginShell ldap_group_object_class =g roup> > > > ----------------------------------------------------------------------------------------------------------------- > > > Here is the getfacl on my Folder that I'm trying to get to respect ACL's on for the Macs: > > > > getfacl /Groups/Digital\ Magazine/ > getfacl: Removing leading '/' from absolute path names > # file: Groups/Digital Magazine/ > # owner: root > # group: DigiMag > user::rwx > user:Administrator:rwx > group::r-x > group:Domain\040Admins:rwx > group:DigiMag:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:Administrator:rwx > default:group::r-x > default:group:Domain\040Admins:rwx > default:group:DigiMag:rwx > default:mask::rwx > default:other::r-x > > > > ----------------------------------------------------------------------------------------------------------------- > > > As you can see, the group: DigiMag has rwx on the folder. > > > However when I create a file, the settings get changed to the group "DigiMag" as only having r-- access on the file > > > root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx # file: ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx user:Administrator:r-- user:ftester:rwx group::r-- group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r-- > > > > ----------------------------------------------------------------------------------------------------------------- > > > This also happens if I set an ACL on the file and give explicit access for the users. If I have 2 users (ftester, and zeddy) and give them full rwx access to the file(s), as soon as one of them opens up the files and saves it the ACL is over written and only the first user to open and save the files then has access to it. They take over ownership of the file(s) as well as change the access to the files to be r-- for both the group (DigiMag) and the user (zeddy) > > > ----------------------------------------------------------------------------------------------------------------- > root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx # file: ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx user:Administrator:r-- user:ftester:rwx user:zeddy:r-- group::r-- group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r-- > ----------------------------------------------------------------------------------------------------------------- > > > The Macs are all Mac OS X 10.10.5 and newer, are all bound to the Domain, and all logon to the domain with a username. If I do an ID on a user, it shows the proper groups that they are a part of, from both the linux server and the mac server. I am using the UNIX extensions and it all seems to work fine. > > > id ftester uid=333345(ftester) gid=20023(Domain Users) groups=20023(Domain Users),20003(Adv_Art),20021(web),20012(MandD),20008(DigiMag),20004(circ) > > > uid=333346(zeddy) gid=20023(Domain Users) groups=20023(Domain Users),20012(MandD),20008(DigiMag) > > > > ----------------------------------------------------------------------------------------------------------------- > > > > > > > Everything seemingly works as far as I can tell. I can run a kinit and it works fine, When I login on a mac as a network based user, I get my proper kerberos tickets and access to the folders that I'm supposed to have access to based on my groups in Samba DC. > > > I can't for the life of me figure out how I can get the file shares to give full access rwx to the files on the server. > > > If someone could please please help me out, I would greatly appreciate it and will provide any information that you I might have missed. > Thank you for your time, > > > > -- > > > David > > >As you are using sssd for authentication, you may get better help from the sssd mailing list, if however you decide to use winbind instead, I can help you with that. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba