Hi All,
I am in the process of trying to build a Samba server to replace our
aging EMC Celerra file server appliance.? The goal, ultimately, is to
build a file server on which we can migrate a file share from the
Celerra (ACL permissions and all) over to Samba, where the file share
can be exported via NFS as well as Samba, AND the permissions we see
in Linux are what we see in Windows (as well as the permissions we set
in one environment being valid in the other).? I am *very* close, but
have made a perplexing discovery: I have noticed that if I use a
Windows tool (Windows Explorer, Robocopy, etc) to set the permissions,
the permissions don't seem to be getting honored.? If I set the same
ACL permissions from the Linux command line, everything works fine.
It seems that the AD user is not mapping to the UNIX user as I would
expect.
For this example, I'll describe a simple test.
SETUP: Let's suppose I have a Samba server joined to our Active
Directory domain, EXAMPLE01, and it's configured per the attached
smb.conf. Winbind is enabled and used. The Samba box has knowledge
of Linux users through NIS (I am only maintaining users, groups, and
passwords in NIS; not machines, etc). I am able to see a given user's
AD group memberships as well as NIS group memberships on the Samba box
when issuing the 'groups' command. I am mapping NIS users to AD users
with the file /etc/samba/smbusers, and using the 'net' command to map
AD groups to NIS groups. Memberships in the AD and NIS groups are
synchronized, so the same user exists in both. I am attempting to use
idmap backend = rid to predictably generate UID/GID mappings by
winbind across machines, for failover purposes.
EXPERIMENT: we have a brand new machine configured as described above.
The share we are working with is called 'osxtest'. The share begins
with no ACLs:
[root@sambatest shares]# ls -l
total 4
drwxr-xr-x 2 root root 4096 Apr 24 10:19 osxtest
[root@sambatest shares]# getfacl osxtest/
# file: osxtest
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
As an domain administrator (admbky), I wish to create a directory
called 'test' and set an acl allowing user 'testbky' rwx access
to the
'test' directory. Here's the relevant info for 'testbky':
[root@sambatest shares]# ypcat passwd | grep testbky
testbky:SOMESTRING:XXXX:XXXX:Test User:/home/testbky:/bin/bash
[root@sambatest shares]# ypcat group | grep testbky
g1019:x:20077:testbky
testbky:x:XXXX:
g2015:x:20104:testbky
domainusers:*:20011:testbky
[root@sambatest shares]# groups testbky
testbky : testbky g1019 g2015 domainusers domain users g2015 g1019 everyone
[root@sambatest shares]# cat /etc/samba/smbusers | grep testbky
testbky = EXAMPLE01\testbky
And for admbky, I am correctly mapped to root:
[root@sambatest shares]# cat /etc/samba/smbusers | grep admbky
root = administrator admin EXAMPLE01\admbky
admbky = EXAMPLE01\admbky
So, from Windows I create directory 'test' and set the ACL for
'testbky':
[root@sambatest osxtest]# pwd
/shares/osxtest
[root@sambatest osxtest]# ls -l
total 8
drwxrwxr-x+ 2 root root 4096 Apr 24 11:28 test
[root@sambatest osxtest]# getfacl test/
# file: test
# owner: root
# group: root
user::rwx
user:testbky:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:testbky:rwx
default:group::---
default:mask::rwx
default:other::---
So, testbky *should* be able to (from Windows AND Linux) manipulate
data in the directory:
[testbky@sambatest test]$ whoami
testbky
[testbky@sambatest test]$ pwd
/shares/osxtest/test
[testbky@sambatest test]$ touch test.txt
touch: cannot touch `test.txt': Permission denied
The same thing happens in Windows. Now, I will create the same ACL
from the Linux command line:
[root@sambatest osxtest]# whoami
root
[root@sambatest osxtest]# pwd
/shares/osxtest
[root@sambatest osxtest]# getfacl test/
# file: test
# owner: root
# group: root
user::rwx
user:testbky:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:testbky:rwx
default:group::---
default:mask::rwx
default:other::---
[root@sambatest osxtest]# setfacl -m u:testbky:rwx test/
[root@sambatest osxtest]# getfacl test/
# file: test
# owner: root
# group: root
user::rwx
user:testbky:rwx
user:testbky:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:testbky:rwx
default:group::---
default:mask::rwx
default:other::---
WEIRD! Now, I seem to have two identical ACLs for testbky. Now
everything works fine:
[testbky@sambatest test]$ whoami
testbky
[testbky@sambatest test]$ pwd
/shares/osxtest/test
[testbky@sambatest test]$ ls
[testbky@sambatest test]$ touch test.txt
[testbky@sambatest test]$ getfacl test.txt
# file: test.txt
# owner: testbky
# group: testbky
user::rw-
user:testbky:rwx #effective:rw-
group::---
mask::rw-
other::---
If I create a file from Windows as testbky, I see:
[testbky@sambatest test]$ ls -l
total 16
-rw-rwxr--+ 1 testbky testbky 12 Apr 24 12:32 testbky-from-windows.txt
-rw-rw----+ 1 testbky testbky 12 Apr 24 12:32 test.txt
[testbky@sambatest test]$ getfacl testbky-from-windows.txt
# file: testbky-from-windows.txt
# owner: testbky
# group: testbky
user::rw-
user:testbky:rwx
group::rw-
mask::rwx
other::r--
I will note that in Windows Explorer, if I view security on the files,
I can see both ACLs as well. One for the UNIX user testbky and one
for the EXAMPLE01 domain user testbky@example.org. So, that's the
problem. Why are they being treated as different users? Is this
normal/correct behavior? Have I missed some fundamental configuration
that makes all this work as expected. I *expect* that if I set an ACL
from Windows it should work *atleast* for the Windows user, from
Windows, if not for both Windows and Linux users.
I would really appreciate any insight into what I am misunderstanding,
or might have missed in terms of configuration. Basically, where I am
with this project is: as long as I manage ACLs from Linux, everything
works great. New files inherit the UNIX permissions, and Windows
users can interact with existing files where their UNIX permissions
allow it. But, when I start manipulating the permissions from a
Windows tool, things don't work right.
Thanks in advance,
Brandon