Le 05/09/2016 à 10:23, Rowland Penny via samba a écrit :> On Mon, 5 Sep 2016 09:38:56 +0200 > Sam via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> If I try to set acl under windows, something very strange appears. >> >> For instance, if I set something for the user samuel I get this with >> the command getfacl : >> default:_*group*_:samuel.ruet:r-x >> >> And if I set something for the group sa-si I get this : >> default:_*use*_r:sa-si:r-x >> >> Under windows all seems good... >> >> I recently change idmap config... ( add rid backend ) >> >> Here is my smb.conf : >> >> [global] >> workgroup = ARIANE >> security = ADS >> realm = ARIANE.INTRA >> >> netbios name = Samba4 >> domain master = no >> host msdfs = no >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> client signing = if_required >> >> ## map id's outside to domain to tdb files. >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain ARIANE >> idmap config ARIANE:backend = rid >> idmap config ARIANE:range = 10000-99999 >> >> ## map ids from the domain the range may not overlap ! >> #idmap config INTERNAL:backend = ad >> #idmap config INTERNAL:schema_mode = rfc2307 >> #idmap config INTERNAL:range = 50001-80000 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = yes >> winbind offline logon = yes >> >> wins server = 172.20.2.2, 172.20.2.3 >> >> template shell = /bin/bash >> template homedir = /home/samba/ARIANE/users/%USERNAME% >> >> # user Administrator workaround, without it you are unable to set >> privileges >> username map = /etc/samba/samba_usermapping >> >> # For ACL support on member server >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> # Share Setting Globally >> usershare allow guests = no >> unix extensions = no >> wide links = no >> reset on zero vc = yes >> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ >> hide unreadable = yes >> >> # disable printing completely >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> [home] >> path = /home/samba/ARIANE/users >> read only = no >> >> [profiles$] >> path = /home/samba/ARIANE/profiles >> read only = no >> admin users = +"ARIANE\Admins du domaine" >> profile acls = yes >> csc policy = disable >> >> [data] >> path = /home/samba/ARIANE/companydata >> read only = no >> >> [software] >> path = /home/samba/software >> read only = no >> >> [test] >> path = /Fichiers/test >> read only = no >> >> Thanks. >> >> Samuel >> > There doesn't seem to be anything wrong with your smb.conf. There are > only two reasons for your problem that I can think of, you are running > the commands on your DC where an AD user can also be a group and > vica-versa. Or you have local users in AD and /etc/passwd > and /etc/group (the last one being a Unix private group). > > Rowland > >Sorry for that but my request was not exacltly true... A user is set both as user and group. A group is set both as user and group too. Under windows, if the user ciril ( member of the group "sa-si" and "utilisa. du domaine" as default group) create a new file, a getfacl command on it return : # file: Fichiers/SA/Nouveau document texte.txt # owner: ciril # group: utilisa.\040du\040domaine user::rwx user:utilisa.\040du\040domaine:r-x _user:sa-si:rwx_ group::r-x group:utilisa.\040du\040domaine:r-x _group:ciril:rwx_ group:sa-si:rwx mask::rwx other::--- ( wrong entries underlined ) if the user ciril add *karine* and the group *sa-cp* to this file, the getfacl command show that : # file: Fichiers/SA/Nouveau document texte.txt # owner: ciril # group: utilisa.\040du\040domaine user::rwx user:utilisa.\040du\040domaine:r-x *user:karine.hasani:r-x* user:sa-si:rwx _*user:sa-cp:r-x*_ group::r-x group:utilisa.\040du\040domaine:r-x _*group:karine.hasani:r-x*_ group:ciril:rwx group:sa-si:rwx *group:sa-cp:r-x* mask::rwx other::--- ( wrong entries underlined ) I see in the smb.conf manual that idmap uid and idmap gid are now deprecated in favour of idmap config * : range. Is using idmap config * : range mix the user and group id? Thanks for helping Samuel
Rowland Penny
2016-Sep-07 10:14 UTC
[Samba] ACL wrong category user for group and group for user
On Wed, 7 Sep 2016 11:25:00 +0200 Sam via samba <samba at lists.samba.org> wrote:> Sorry for that but my request was not exacltly true... > > A user is set both as user and group. > A group is set both as user and group too.How have managed that ? Where do these users & groups exist ? If they are in /etc/passwd & /etc/group and also in AD, pick one place for them and delete them from the other. You cannot have local Unix users & groups that are also in AD. If they are only in AD, then pick which they should be, a user or group and then delete the other, you cannot have a user with the same name as a group. Rowland
Hello Rowland! The users and group are only on the AD, and there are only one entry on each user... In the Windows side all seems ok : but not the result of getfacl ... root at Samba4:/Fichiers# getfacl /Fichiers/SA/Nouveau\ document\ texte.txt getfacl : suppression du premier « / » des noms de chemins absolus # file: Fichiers/SA/Nouveau document texte.txt # owner: ciril # group: utilisa.\040du\040domaine user::rwx user:utilisa.\040du\040domaine:r-x user:karine.hasani:r-x user:sa-si:rwx user:sa-cp:r-x user:john.doe:r-x user:essai:r-x group::r-x group:utilisa.\040du\040domaine:r-x group:karine.hasani:r-x group:ciril:rwx group:sa-si:rwx group:sa-cp:r-x group:john.doe:r-x group:essai:r-x mask::rwx other::--- In the above example I created the user essai on the AD one minute ago... Good things! with setfacl I can't set a user as a group and vica-versa! ;) wbinfo -u show only users and the -g option only groups getent passwd show only users: ... essai:*:14633:10513:essai essai:/home/samba/ARIANE/users/essaiSERNAME%:/bin/bash ... getent group show only groups: ... sa-cp:x:13269: ... Is there somewhere else to search? Thanks Samuel Le 07/09/2016 à 12:14, Rowland Penny via samba a écrit :> On Wed, 7 Sep 2016 11:25:00 +0200 > Sam via samba <samba at lists.samba.org> wrote: > >> Sorry for that but my request was not exacltly true... >> >> A user is set both as user and group. >> A group is set both as user and group too. > How have managed that ? > > Where do these users & groups exist ? > If they are in /etc/passwd & /etc/group and also in AD, pick one place > for them and delete them from the other. You cannot have local Unix > users & groups that are also in AD. > > If they are only in AD, then pick which they should be, a user or group > and then delete the other, you cannot have a user with the same name as > a group. > > Rowland > >