samba - Oct 2020 - Are those file and folder ACLs to be expected?

Hello.

I've got a working SAMBA AD server. I'm able to join both Linux
(winbind)
and Windows clients. I have also joined an NAS that hosts some
shares/folders to be used by multiple machines (Linux and Windows 10). On
my Linux host I'm accessing the NAS via NFS mount, while on my Windows
machine obviously I'm using SMB.
I'm using the ad ID mapping backend with uId and gId that I'm managing
manually.
I have noticed something strange, though.
>From my Linux computer I created folder on the NAS:
mkdir TEST


The folder has it's ownership as *username:users *and mask 775 which is
what I want:

drwxrwxr-x   2 myname users    6 Oct 13 10:51 TEST


Afterwards I log in to my Windows 10 computer, access the same folder and
create a subfolder inside of it.
Coming back to my Linux machine I browse and check the newly created folder:

drwxrwxr-x+ 2 myname users 10 Oct 13 10:59 winfolder


Seems like the Windows-created folder has extended attributes. Let's check
them with *getfacl winfolder:*

# file: winfolder
> # owner: myname
> # group: users
> user::rwx
> user:11001119:r-x
> group::r-x
> group:users:r-x
> group:11001120:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:myname:rwx
> default:group::r-x
> default:group:users:r-x
> default:mask::rwx
> default:other::r-x

 Here it comes the confusion. Those IDs are the ones of my user (11001119)
and group (11001120). But I don't understand why on the second user line
I'm getting the uId, while on the *default:user:*  line the uId is being
resolved to my username?
Also why *group:users: *and *group:: *lines define only r-x permissions,
while *group:11001120 *is rwx? Is this an issue caused solely by creating
files/folders on Windows?

Next, what's the logic behind all the default lines? If there's any..

Could it be a misconfiguration on my side? Here's my AD server smb.conf:

[global]
>         netbios name = DOM
>         realm = SAM.DOM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         idmap config SAMDOM:unix_nss_info = yes
>         store dos attributes = Yes
>         allow dns updates = nonsecure
>         inherit permissions    = yes
>         inherit acls           = yes


And here's my Linux client smb.conf:

[global]
>
> security = ADS
> workgroup = SAMDOM
> realm = SAM.DOM
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM :schema_mode = rfc2307
> idmap config SAMDOM :range = 11000000-99999999
> idmap config SAMDOM :unix_nss_info = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
>
> winbind use default domain = yes


Thanks

On 13/10/2020 09:23, Z Z via samba wrote:
> Hello.
>
> I've got a working SAMBA AD server. I'm able to join both Linux
(winbind)
> and Windows clients. I have also joined an NAS that hosts some
> shares/folders to be used by multiple machines (Linux and Windows 10). On
> my Linux host I'm accessing the NAS via NFS mount, while on my Windows
> machine obviously I'm using SMB.
> I'm using the ad ID mapping backend with uId and gId that I'm
managing
> manually.
> I have noticed something strange, though.
>  From my Linux computer I created folder on the NAS:
>
> mkdir TEST
>
>
> The folder has it's ownership as *username:users *and mask 775 which is
> what I want:
>
> drwxrwxr-x   2 myname users    6 Oct 13 10:51 TEST
>
>
> Afterwards I log in to my Windows 10 computer, access the same folder and
> create a subfolder inside of it.
> Coming back to my Linux machine I browse and check the newly created
folder:
>
> drwxrwxr-x+ 2 myname users 10 Oct 13 10:59 winfolder
>
>
> Seems like the Windows-created folder has extended attributes. Let's
check
> them with *getfacl winfolder:*
>
> # file: winfolder
>> # owner: myname
>> # group: users
You say this is on a domain joined NAS, so why is 'users' not
'Domain
Users' ?
>> user::rwx
>> user:11001119:r-x
>> group::r-x
>> group:users:r-x
>> group:11001120:rwx
>> mask::rwx
>> other::r-x
>> default:user::rwx
>> default:user:myname:rwx
>> default:group::r-x
>> default:group:users:r-x
>> default:mask::rwx
>> default:other::r-x
>
>   Here it comes the confusion. Those IDs are the ones of my user (11001119)
> and group (11001120). But I don't understand why on the second user
line
> I'm getting the uId, while on the *default:user:*  line the uId is
being
> resolved to my username?
I have no idea, the share is on your NAS and you haven't supplied the 
smb.conf for that

What versions of Samba are you using ?

Rowland

Greetings Rowland.

The NAS we have does not allow SSH connections, only a web interface for
management and therefore I'm unable to provide the conf file.
The group "users" is actually named "artists" and it's
created by me. I
needed a group with a simpler name.

The version of Samba is 4.10.4.
Let me know if there's anything else I can provide and could be of help.

On Tue, Oct 13, 2020 at 11:50 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 13/10/2020 09:23, Z Z via samba wrote:
> > Hello.
> >
> > I've got a working SAMBA AD server. I'm able to join both
Linux (winbind)
> > and Windows clients. I have also joined an NAS that hosts some
> > shares/folders to be used by multiple machines (Linux and Windows 10).
On
> > my Linux host I'm accessing the NAS via NFS mount, while on my
Windows
> > machine obviously I'm using SMB.
> > I'm using the ad ID mapping backend with uId and gId that I'm
managing
> > manually.
> > I have noticed something strange, though.
> >  From my Linux computer I created folder on the NAS:
> >
> > mkdir TEST
> >
> >
> > The folder has it's ownership as *username:users *and mask 775
which is
> > what I want:
> >
> > drwxrwxr-x   2 myname users    6 Oct 13 10:51 TEST
> >
> >
> > Afterwards I log in to my Windows 10 computer, access the same folder
and
> > create a subfolder inside of it.
> > Coming back to my Linux machine I browse and check the newly created
> folder:
> >
> > drwxrwxr-x+ 2 myname users 10 Oct 13 10:59 winfolder
> >
> >
> > Seems like the Windows-created folder has extended attributes.
Let's
> check
> > them with *getfacl winfolder:*
> >
> > # file: winfolder
> >> # owner: myname
> >> # group: users
> You say this is on a domain joined NAS, so why is 'users' not
'Domain
> Users' ?
> >> user::rwx
> >> user:11001119:r-x
> >> group::r-x
> >> group:users:r-x
> >> group:11001120:rwx
> >> mask::rwx
> >> other::r-x
> >> default:user::rwx
> >> default:user:myname:rwx
> >> default:group::r-x
> >> default:group:users:r-x
> >> default:mask::rwx
> >> default:other::r-x
> >
> >   Here it comes the confusion. Those IDs are the ones of my user
> (11001119)
> > and group (11001120). But I don't understand why on the second
user line
> > I'm getting the uId, while on the *default:user:*  line the uId is
being
> > resolved to my username?
> I have no idea, the share is on your NAS and you haven't supplied the
> smb.conf for that
>
> What versions of Samba are you using ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>