samba - Sep 2016 - ACL wrong category user for group and group for user

Le 05/09/2016 à 10:23, Rowland Penny via samba a écrit :
> On Mon, 5 Sep 2016 09:38:56 +0200
> Sam via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> If I try to set acl under windows, something very strange appears.
>>
>> For instance, if I set something for the user samuel I get this with
>> the command getfacl :
>> default:_*group*_:samuel.ruet:r-x
>>
>> And if I set something for the group sa-si I get this :
>> default:_*use*_r:sa-si:r-x
>>
>> Under windows all seems good...
>>
>> I recently change idmap config... ( add rid backend )
>>
>> Here is my smb.conf :
>>
>> [global]
>>      workgroup = ARIANE
>>      security = ADS
>>      realm = ARIANE.INTRA
>>
>>      netbios name = Samba4
>>      domain master = no
>>      host msdfs = no
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>      kerberos method = secrets and keytab
>>      client signing = if_required
>>
>>      ## map id's outside to domain to tdb files.
>>      idmap config *:backend = tdb
>>      idmap config *:range = 2000-9999
>>
>>      # idmap config for domain ARIANE
>>      idmap config ARIANE:backend = rid
>>      idmap config ARIANE:range = 10000-99999
>>
>>      ## map ids from the domain  the range may not overlap !
>>      #idmap config INTERNAL:backend = ad
>>      #idmap config INTERNAL:schema_mode = rfc2307
>>      #idmap config INTERNAL:range = 50001-80000
>>
>>      winbind nss info = rfc2307
>>      winbind trusted domains only = no
>>      winbind use default domain = yes
>>      winbind enum users  = yes
>>      winbind enum groups = yes
>>      winbind refresh tickets = yes
>>      winbind offline logon = yes
>>
>>      wins server = 172.20.2.2, 172.20.2.3
>>
>>      template shell = /bin/bash
>>      template homedir = /home/samba/ARIANE/users/%USERNAME%
>>
>>      # user Administrator workaround, without it you are unable to set
>> privileges
>>      username map = /etc/samba/samba_usermapping
>>
>>      # For ACL support on member server
>>      vfs objects = acl_xattr
>>      map acl inherit = Yes
>>      store dos attributes = Yes
>>
>>      # Share Setting Globally
>>      usershare allow guests = no
>>      unix extensions = no
>>      wide links = no
>>      reset on zero vc = yes
>>      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>      hide unreadable = yes
>>
>>      # disable printing completely
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [home]
>>      path = /home/samba/ARIANE/users
>>      read only = no
>>
>> [profiles$]
>>      path = /home/samba/ARIANE/profiles
>>      read only = no
>>      admin users = +"ARIANE\Admins du domaine"
>>      profile acls = yes
>>      csc policy = disable
>>
>> [data]
>>      path = /home/samba/ARIANE/companydata
>>      read only = no
>>
>> [software]
>>      path = /home/samba/software
>>      read only = no
>>
>> [test]
>>      path = /Fichiers/test
>>      read only = no
>>
>> Thanks.
>>
>> Samuel
>>
> There doesn't seem to be anything wrong with your smb.conf. There are
> only two reasons for your problem that I can think of, you are running
> the commands on your DC where an AD user can also be a group and
> vica-versa. Or you have local users in AD and /etc/passwd
> and /etc/group (the last one being a Unix private group).
>
> Rowland
>   
>
Sorry for that but my request was not exacltly true...

A user is set both as user and group.
A group is set both as user and group too.

Under windows, if the user ciril ( member of the group "sa-si" and 
"utilisa. du domaine" as default group) create a new file, a getfacl 
command on it return :

# file: Fichiers/SA/Nouveau document texte.txt
# owner: ciril
# group: utilisa.\040du\040domaine
user::rwx
user:utilisa.\040du\040domaine:r-x
_user:sa-si:rwx_
group::r-x
group:utilisa.\040du\040domaine:r-x
_group:ciril:rwx_
group:sa-si:rwx
mask::rwx
other::---

(  wrong entries underlined )

if the user ciril add *karine* and the group *sa-cp* to this file, the 
getfacl command show that :

# file: Fichiers/SA/Nouveau document texte.txt
# owner: ciril
# group: utilisa.\040du\040domaine
user::rwx
user:utilisa.\040du\040domaine:r-x
*user:karine.hasani:r-x*
user:sa-si:rwx
_*user:sa-cp:r-x*_
group::r-x
group:utilisa.\040du\040domaine:r-x
_*group:karine.hasani:r-x*_
group:ciril:rwx
group:sa-si:rwx
*group:sa-cp:r-x*
mask::rwx
other::---

(  wrong entries underlined )

I see in the smb.conf manual that idmap uid and idmap gid are now 
deprecated in favour of idmap config * : range.
Is using idmap config * : range mix the user and group id?

Thanks for helping
Samuel

On Wed, 7 Sep 2016 11:25:00 +0200
Sam via samba <samba at lists.samba.org> wrote:
> Sorry for that but my request was not exacltly true...
> 
> A user is set both as user and group.
> A group is set both as user and group too.
How have managed that ?

Where do these users & groups exist ?
If they are in /etc/passwd & /etc/group and also in AD, pick one place
for them and delete them from the other. You cannot have local Unix
users & groups that are also in AD.

If they are only in AD, then pick which they should be, a user or group
and then delete the other, you cannot have a user with the same name as
a group.

Rowland

Hello Rowland!

The users and group are only on the AD, and there are only one entry on 
each user...
In the Windows side all seems ok :

but not the result of getfacl ...

root at Samba4:/Fichiers# getfacl /Fichiers/SA/Nouveau\ document\ texte.txt
getfacl : suppression du premier « / » des noms de chemins absolus
# file: Fichiers/SA/Nouveau document texte.txt
# owner: ciril
# group: utilisa.\040du\040domaine
user::rwx
user:utilisa.\040du\040domaine:r-x
user:karine.hasani:r-x
user:sa-si:rwx
user:sa-cp:r-x
user:john.doe:r-x
user:essai:r-x
group::r-x
group:utilisa.\040du\040domaine:r-x
group:karine.hasani:r-x
group:ciril:rwx
group:sa-si:rwx
group:sa-cp:r-x
group:john.doe:r-x
group:essai:r-x
mask::rwx
other::---

In the above example I created the user essai on the AD one minute ago...

Good things! with setfacl I can't set a user as a group and vica-versa! ;)

wbinfo -u show only users and the -g option only groups

getent passwd show only users:
...
essai:*:14633:10513:essai 
essai:/home/samba/ARIANE/users/essaiSERNAME%:/bin/bash
...

  getent group show only groups:
...
sa-cp:x:13269:
...

Is there somewhere else to search?

Thanks

Samuel



Le 07/09/2016 à 12:14, Rowland Penny via samba a écrit :
> On Wed, 7 Sep 2016 11:25:00 +0200
> Sam via samba <samba at lists.samba.org> wrote:
>
>> Sorry for that but my request was not exacltly true...
>>
>> A user is set both as user and group.
>> A group is set both as user and group too.
> How have managed that ?
>
> Where do these users & groups exist ?
> If they are in /etc/passwd & /etc/group and also in AD, pick one place
> for them and delete them from the other. You cannot have local Unix
> users & groups that are also in AD.
>
> If they are only in AD, then pick which they should be, a user or group
> and then delete the other, you cannot have a user with the same name as
> a group.
>
> Rowland
>
>