samba - Sep 2016 - ACL wrong category user for group and group for user

Hello,

If I try to set acl under windows, something very strange appears.

For instance, if I set something for the user samuel I get this with the 
command getfacl :
default:_*group*_:samuel.ruet:r-x

And if I set something for the group sa-si I get this :
default:_*use*_r:sa-si:r-x

Under windows all seems good...

I recently change idmap config... ( add rid backend )

Here is my smb.conf :

[global]
    workgroup = ARIANE
    security = ADS
    realm = ARIANE.INTRA

    netbios name = Samba4
    domain master = no
    host msdfs = no

       dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    client signing = if_required

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    # idmap config for domain ARIANE
    idmap config ARIANE:backend = rid
    idmap config ARIANE:range = 10000-99999

    ## map ids from the domain  the range may not overlap !
    #idmap config INTERNAL:backend = ad
    #idmap config INTERNAL:schema_mode = rfc2307
    #idmap config INTERNAL:range = 50001-80000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind refresh tickets = yes
    winbind offline logon = yes

    wins server = 172.20.2.2, 172.20.2.3

    template shell = /bin/bash
    template homedir = /home/samba/ARIANE/users/%USERNAME%

    # user Administrator workaround, without it you are unable to set 
privileges
    username map = /etc/samba/samba_usermapping

    # For ACL support on member server
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    usershare allow guests = no
    unix extensions = no
    wide links = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

[home]
    path = /home/samba/ARIANE/users
    read only = no

[profiles$]
    path = /home/samba/ARIANE/profiles
    read only = no
    admin users = +"ARIANE\Admins du domaine"
    profile acls = yes
    csc policy = disable

[data]
    path = /home/samba/ARIANE/companydata
    read only = no

[software]
    path = /home/samba/software
    read only = no

[test]
    path = /Fichiers/test
    read only = no

Thanks.

Samuel

On Mon, 5 Sep 2016 09:38:56 +0200
Sam via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> If I try to set acl under windows, something very strange appears.
> 
> For instance, if I set something for the user samuel I get this with
> the command getfacl :
> default:_*group*_:samuel.ruet:r-x
> 
> And if I set something for the group sa-si I get this :
> default:_*use*_r:sa-si:r-x
> 
> Under windows all seems good...
> 
> I recently change idmap config... ( add rid backend )
> 
> Here is my smb.conf :
> 
> [global]
>     workgroup = ARIANE
>     security = ADS
>     realm = ARIANE.INTRA
> 
>     netbios name = Samba4
>     domain master = no
>     host msdfs = no
> 
>        dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     client signing = if_required
> 
>     ## map id's outside to domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
> 
>     # idmap config for domain ARIANE
>     idmap config ARIANE:backend = rid
>     idmap config ARIANE:range = 10000-99999
> 
>     ## map ids from the domain  the range may not overlap !
>     #idmap config INTERNAL:backend = ad
>     #idmap config INTERNAL:schema_mode = rfc2307
>     #idmap config INTERNAL:range = 50001-80000
> 
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     winbind refresh tickets = yes
>     winbind offline logon = yes
> 
>     wins server = 172.20.2.2, 172.20.2.3
> 
>     template shell = /bin/bash
>     template homedir = /home/samba/ARIANE/users/%USERNAME%
> 
>     # user Administrator workaround, without it you are unable to set 
> privileges
>     username map = /etc/samba/samba_usermapping
> 
>     # For ACL support on member server
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> 
>     # Share Setting Globally
>     usershare allow guests = no
>     unix extensions = no
>     wide links = no
>     reset on zero vc = yes
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
> 
>     # disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> [home]
>     path = /home/samba/ARIANE/users
>     read only = no
> 
> [profiles$]
>     path = /home/samba/ARIANE/profiles
>     read only = no
>     admin users = +"ARIANE\Admins du domaine"
>     profile acls = yes
>     csc policy = disable
> 
> [data]
>     path = /home/samba/ARIANE/companydata
>     read only = no
> 
> [software]
>     path = /home/samba/software
>     read only = no
> 
> [test]
>     path = /Fichiers/test
>     read only = no
> 
> Thanks.
> 
> Samuel
> 
There doesn't seem to be anything wrong with your smb.conf. There are
only two reasons for your problem that I can think of, you are running
the commands on your DC where an AD user can also be a group and
vica-versa. Or you have local users in AD and /etc/passwd
and /etc/group (the last one being a Unix private group).

Rowland

Le 05/09/2016 à 10:23, Rowland Penny via samba a écrit :
> On Mon, 5 Sep 2016 09:38:56 +0200
> Sam via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> If I try to set acl under windows, something very strange appears.
>>
>> For instance, if I set something for the user samuel I get this with
>> the command getfacl :
>> default:_*group*_:samuel.ruet:r-x
>>
>> And if I set something for the group sa-si I get this :
>> default:_*use*_r:sa-si:r-x
>>
>> Under windows all seems good...
>>
>> I recently change idmap config... ( add rid backend )
>>
>> Here is my smb.conf :
>>
>> [global]
>>      workgroup = ARIANE
>>      security = ADS
>>      realm = ARIANE.INTRA
>>
>>      netbios name = Samba4
>>      domain master = no
>>      host msdfs = no
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>      kerberos method = secrets and keytab
>>      client signing = if_required
>>
>>      ## map id's outside to domain to tdb files.
>>      idmap config *:backend = tdb
>>      idmap config *:range = 2000-9999
>>
>>      # idmap config for domain ARIANE
>>      idmap config ARIANE:backend = rid
>>      idmap config ARIANE:range = 10000-99999
>>
>>      ## map ids from the domain  the range may not overlap !
>>      #idmap config INTERNAL:backend = ad
>>      #idmap config INTERNAL:schema_mode = rfc2307
>>      #idmap config INTERNAL:range = 50001-80000
>>
>>      winbind nss info = rfc2307
>>      winbind trusted domains only = no
>>      winbind use default domain = yes
>>      winbind enum users  = yes
>>      winbind enum groups = yes
>>      winbind refresh tickets = yes
>>      winbind offline logon = yes
>>
>>      wins server = 172.20.2.2, 172.20.2.3
>>
>>      template shell = /bin/bash
>>      template homedir = /home/samba/ARIANE/users/%USERNAME%
>>
>>      # user Administrator workaround, without it you are unable to set
>> privileges
>>      username map = /etc/samba/samba_usermapping
>>
>>      # For ACL support on member server
>>      vfs objects = acl_xattr
>>      map acl inherit = Yes
>>      store dos attributes = Yes
>>
>>      # Share Setting Globally
>>      usershare allow guests = no
>>      unix extensions = no
>>      wide links = no
>>      reset on zero vc = yes
>>      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>      hide unreadable = yes
>>
>>      # disable printing completely
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [home]
>>      path = /home/samba/ARIANE/users
>>      read only = no
>>
>> [profiles$]
>>      path = /home/samba/ARIANE/profiles
>>      read only = no
>>      admin users = +"ARIANE\Admins du domaine"
>>      profile acls = yes
>>      csc policy = disable
>>
>> [data]
>>      path = /home/samba/ARIANE/companydata
>>      read only = no
>>
>> [software]
>>      path = /home/samba/software
>>      read only = no
>>
>> [test]
>>      path = /Fichiers/test
>>      read only = no
>>
>> Thanks.
>>
>> Samuel
>>
> There doesn't seem to be anything wrong with your smb.conf. There are
> only two reasons for your problem that I can think of, you are running
> the commands on your DC where an AD user can also be a group and
> vica-versa. Or you have local users in AD and /etc/passwd
> and /etc/group (the last one being a Unix private group).
>
> Rowland
>   
>
Hello Rowland!

Under my AD server I don't see any local user present in AD, in passwd 
and group files.
So the first part seems to be the answer...but if I test with another 
samba I have (a very old samba 3.0.33 with security = ADS  )
The user goes well in the user category and the group in the group category.

user:ARIANE+samuel.ruet:r-x
group:ARIANE+sa-si:r-x

for info this is the old server global section :

[global]
         workgroup = ARIANE
         realm = ARIANE.INTRA
         netbios aliases = SAMBA
         server string = serveur samba3
         security = ADS
         username map = /etc/samba/smbusers
         log level = 0
         syslog = 0
         log file = /var/log/samba/%m
         max log size = 50
         ldap ssl = no
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         template shell = /bin/bash
         winbind separator = +
         comment = autre
         path = /Samba
         read only = No
         create mask = 0770
         directory mask = 0770

Thanks.
Samuel

Here is the smb.conf from the AD :

do I need to enable the undelined part?

Thanks!

# Global parameters
[global]
         workgroup = ARIANE
         realm = ariane.intra
         netbios name = S4
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate

         ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
         ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
         sdb:schema update allowed = no

         ## Dont forget to set the idmap_ldb on ALL DC's if you use it
         idmap_ldb:use rfc2307 = yes

         #when using idmap backend RID enable these
          #_template shell = /bin/sh_
         template homedir = /home/users/%ACCOUNTNAME%

         winbind nss info = rfc2307
         winbind use default domain = yes
         winbind max clients = 3000

         interfaces = 127.0.0.1 172.20.2.2
         bind interfaces only = yes
         time server = yes
         wins support = yes

         # Disable printing completely
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

  kerberos method = system keytab

## Temporaire, niveau de log 10 maximal
#syslog = 10

#log level =0 winbind:3

[netlogon]
         path = /var/lib/samba/sysvol/ariane.intra/scripts
         read only = No
         acl_xattr:ignore system acl = yes

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
         acl_xattr:ignore system acl = yes


Le 05/09/2016 à 10:23, Rowland Penny via samba a écrit :
> On Mon, 5 Sep 2016 09:38:56 +0200
> Sam via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> If I try to set acl under windows, something very strange appears.
>>
>> For instance, if I set something for the user samuel I get this with
>> the command getfacl :
>> default:_*group*_:samuel.ruet:r-x
>>
>> And if I set something for the group sa-si I get this :
>> default:_*use*_r:sa-si:r-x
>>
>> Under windows all seems good...
>>
>> I recently change idmap config... ( add rid backend )
>>
>> Here is my smb.conf :
>>
>> [global]
>>      workgroup = ARIANE
>>      security = ADS
>>      realm = ARIANE.INTRA
>>
>>      netbios name = Samba4
>>      domain master = no
>>      host msdfs = no
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>      kerberos method = secrets and keytab
>>      client signing = if_required
>>
>>      ## map id's outside to domain to tdb files.
>>      idmap config *:backend = tdb
>>      idmap config *:range = 2000-9999
>>
>>      # idmap config for domain ARIANE
>>      idmap config ARIANE:backend = rid
>>      idmap config ARIANE:range = 10000-99999
>>
>>      ## map ids from the domain  the range may not overlap !
>>      #idmap config INTERNAL:backend = ad
>>      #idmap config INTERNAL:schema_mode = rfc2307
>>      #idmap config INTERNAL:range = 50001-80000
>>
>>      winbind nss info = rfc2307
>>      winbind trusted domains only = no
>>      winbind use default domain = yes
>>      winbind enum users  = yes
>>      winbind enum groups = yes
>>      winbind refresh tickets = yes
>>      winbind offline logon = yes
>>
>>      wins server = 172.20.2.2, 172.20.2.3
>>
>>      template shell = /bin/bash
>>      template homedir = /home/samba/ARIANE/users/%USERNAME%
>>
>>      # user Administrator workaround, without it you are unable to set
>> privileges
>>      username map = /etc/samba/samba_usermapping
>>
>>      # For ACL support on member server
>>      vfs objects = acl_xattr
>>      map acl inherit = Yes
>>      store dos attributes = Yes
>>
>>      # Share Setting Globally
>>      usershare allow guests = no
>>      unix extensions = no
>>      wide links = no
>>      reset on zero vc = yes
>>      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>      hide unreadable = yes
>>
>>      # disable printing completely
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [home]
>>      path = /home/samba/ARIANE/users
>>      read only = no
>>
>> [profiles$]
>>      path = /home/samba/ARIANE/profiles
>>      read only = no
>>      admin users = +"ARIANE\Admins du domaine"
>>      profile acls = yes
>>      csc policy = disable
>>
>> [data]
>>      path = /home/samba/ARIANE/companydata
>>      read only = no
>>
>> [software]
>>      path = /home/samba/software
>>      read only = no
>>
>> [test]
>>      path = /Fichiers/test
>>      read only = no
>>
>> Thanks.
>>
>> Samuel
>>
> There doesn't seem to be anything wrong with your smb.conf. There are
> only two reasons for your problem that I can think of, you are running
> the commands on your DC where an AD user can also be a group and
> vica-versa. Or you have local users in AD and /etc/passwd
> and /etc/group (the last one being a Unix private group).
>
> Rowland
>   
>

Did someone get the same problem or am I alone?
Rowland you tell me about commands issue on the DC, can you tell me more 
about that?
Since it seems to be well displayed on windows side, can I let it like that?

Thanks all! ;)

Samuel


Le 05/09/2016 à 10:23, Rowland Penny via samba a écrit :
> On Mon, 5 Sep 2016 09:38:56 +0200
> Sam via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> If I try to set acl under windows, something very strange appears.
>>
>> For instance, if I set something for the user samuel I get this with
>> the command getfacl :
>> default:_*group*_:samuel.ruet:r-x
>>
>> And if I set something for the group sa-si I get this :
>> default:_*use*_r:sa-si:r-x
>>
>> Under windows all seems good...
>>
>> I recently change idmap config... ( add rid backend )
>>
>> Here is my smb.conf :
>>
>> [global]
>>      workgroup = ARIANE
>>      security = ADS
>>      realm = ARIANE.INTRA
>>
>>      netbios name = Samba4
>>      domain master = no
>>      host msdfs = no
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>      kerberos method = secrets and keytab
>>      client signing = if_required
>>
>>      ## map id's outside to domain to tdb files.
>>      idmap config *:backend = tdb
>>      idmap config *:range = 2000-9999
>>
>>      # idmap config for domain ARIANE
>>      idmap config ARIANE:backend = rid
>>      idmap config ARIANE:range = 10000-99999
>>
>>      ## map ids from the domain  the range may not overlap !
>>      #idmap config INTERNAL:backend = ad
>>      #idmap config INTERNAL:schema_mode = rfc2307
>>      #idmap config INTERNAL:range = 50001-80000
>>
>>      winbind nss info = rfc2307
>>      winbind trusted domains only = no
>>      winbind use default domain = yes
>>      winbind enum users  = yes
>>      winbind enum groups = yes
>>      winbind refresh tickets = yes
>>      winbind offline logon = yes
>>
>>      wins server = 172.20.2.2, 172.20.2.3
>>
>>      template shell = /bin/bash
>>      template homedir = /home/samba/ARIANE/users/%USERNAME%
>>
>>      # user Administrator workaround, without it you are unable to set
>> privileges
>>      username map = /etc/samba/samba_usermapping
>>
>>      # For ACL support on member server
>>      vfs objects = acl_xattr
>>      map acl inherit = Yes
>>      store dos attributes = Yes
>>
>>      # Share Setting Globally
>>      usershare allow guests = no
>>      unix extensions = no
>>      wide links = no
>>      reset on zero vc = yes
>>      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>      hide unreadable = yes
>>
>>      # disable printing completely
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [home]
>>      path = /home/samba/ARIANE/users
>>      read only = no
>>
>> [profiles$]
>>      path = /home/samba/ARIANE/profiles
>>      read only = no
>>      admin users = +"ARIANE\Admins du domaine"
>>      profile acls = yes
>>      csc policy = disable
>>
>> [data]
>>      path = /home/samba/ARIANE/companydata
>>      read only = no
>>
>> [software]
>>      path = /home/samba/software
>>      read only = no
>>
>> [test]
>>      path = /Fichiers/test
>>      read only = no
>>
>> Thanks.
>>
>> Samuel
>>
> There doesn't seem to be anything wrong with your smb.conf. There are
> only two reasons for your problem that I can think of, you are running
> the commands on your DC where an AD user can also be a group and
> vica-versa. Or you have local users in AD and /etc/passwd
> and /etc/group (the last one being a Unix private group).
>
> Rowland
>   
>

Le 05/09/2016 à 10:23, Rowland Penny via samba a écrit :
> On Mon, 5 Sep 2016 09:38:56 +0200
> Sam via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> If I try to set acl under windows, something very strange appears.
>>
>> For instance, if I set something for the user samuel I get this with
>> the command getfacl :
>> default:_*group*_:samuel.ruet:r-x
>>
>> And if I set something for the group sa-si I get this :
>> default:_*use*_r:sa-si:r-x
>>
>> Under windows all seems good...
>>
>> I recently change idmap config... ( add rid backend )
>>
>> Here is my smb.conf :
>>
>> [global]
>>      workgroup = ARIANE
>>      security = ADS
>>      realm = ARIANE.INTRA
>>
>>      netbios name = Samba4
>>      domain master = no
>>      host msdfs = no
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>      kerberos method = secrets and keytab
>>      client signing = if_required
>>
>>      ## map id's outside to domain to tdb files.
>>      idmap config *:backend = tdb
>>      idmap config *:range = 2000-9999
>>
>>      # idmap config for domain ARIANE
>>      idmap config ARIANE:backend = rid
>>      idmap config ARIANE:range = 10000-99999
>>
>>      ## map ids from the domain  the range may not overlap !
>>      #idmap config INTERNAL:backend = ad
>>      #idmap config INTERNAL:schema_mode = rfc2307
>>      #idmap config INTERNAL:range = 50001-80000
>>
>>      winbind nss info = rfc2307
>>      winbind trusted domains only = no
>>      winbind use default domain = yes
>>      winbind enum users  = yes
>>      winbind enum groups = yes
>>      winbind refresh tickets = yes
>>      winbind offline logon = yes
>>
>>      wins server = 172.20.2.2, 172.20.2.3
>>
>>      template shell = /bin/bash
>>      template homedir = /home/samba/ARIANE/users/%USERNAME%
>>
>>      # user Administrator workaround, without it you are unable to set
>> privileges
>>      username map = /etc/samba/samba_usermapping
>>
>>      # For ACL support on member server
>>      vfs objects = acl_xattr
>>      map acl inherit = Yes
>>      store dos attributes = Yes
>>
>>      # Share Setting Globally
>>      usershare allow guests = no
>>      unix extensions = no
>>      wide links = no
>>      reset on zero vc = yes
>>      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>      hide unreadable = yes
>>
>>      # disable printing completely
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [home]
>>      path = /home/samba/ARIANE/users
>>      read only = no
>>
>> [profiles$]
>>      path = /home/samba/ARIANE/profiles
>>      read only = no
>>      admin users = +"ARIANE\Admins du domaine"
>>      profile acls = yes
>>      csc policy = disable
>>
>> [data]
>>      path = /home/samba/ARIANE/companydata
>>      read only = no
>>
>> [software]
>>      path = /home/samba/software
>>      read only = no
>>
>> [test]
>>      path = /Fichiers/test
>>      read only = no
>>
>> Thanks.
>>
>> Samuel
>>
> There doesn't seem to be anything wrong with your smb.conf. There are
> only two reasons for your problem that I can think of, you are running
> the commands on your DC where an AD user can also be a group and
> vica-versa. Or you have local users in AD and /etc/passwd
> and /etc/group (the last one being a Unix private group).
>
> Rowland
>   
>
Sorry for that but my request was not exacltly true...

A user is set both as user and group.
A group is set both as user and group too.

Under windows, if the user ciril ( member of the group "sa-si" and 
"utilisa. du domaine" as default group) create a new file, a getfacl 
command on it return :

# file: Fichiers/SA/Nouveau document texte.txt
# owner: ciril
# group: utilisa.\040du\040domaine
user::rwx
user:utilisa.\040du\040domaine:r-x
_user:sa-si:rwx_
group::r-x
group:utilisa.\040du\040domaine:r-x
_group:ciril:rwx_
group:sa-si:rwx
mask::rwx
other::---

(  wrong entries underlined )

if the user ciril add *karine* and the group *sa-cp* to this file, the 
getfacl command show that :

# file: Fichiers/SA/Nouveau document texte.txt
# owner: ciril
# group: utilisa.\040du\040domaine
user::rwx
user:utilisa.\040du\040domaine:r-x
*user:karine.hasani:r-x*
user:sa-si:rwx
_*user:sa-cp:r-x*_
group::r-x
group:utilisa.\040du\040domaine:r-x
_*group:karine.hasani:r-x*_
group:ciril:rwx
group:sa-si:rwx
*group:sa-cp:r-x*
mask::rwx
other::---

(  wrong entries underlined )

I see in the smb.conf manual that idmap uid and idmap gid are now 
deprecated in favour of idmap config * : range.
Is using idmap config * : range mix the user and group id?

Thanks for helping
Samuel