Hello. I have a file server with samba and sssd. Is working perfectly. The problem is when I define extended ACLs using windows explorer. Acls are not applied in the file system to the groups and users of the domain. But when I work with winbind I can apply the extended acls in the file system. Follow the contents of the sssd.conf and smb.conf file [global] WORKGROUP = DOMAINE Realm = DOMAINA.COM Netbios name = FILESERVER Dedicated keytab file = /etc/krb5.keytab Kerberos method = dedicated keytab Security = ads Log level = 3 Log file = /var/log/samba/log.all Max log size = 4000 Domain master = no Local master = no # Enable Extended ACLs # Map acl inherit = yes Store dos attributes = yes Vfs objects = acl_xattr [rh] Path = / mnt / samba / rh ; Valid users = manuel at coorp.gnulinux souza at coorp.gnulinux Write list = @ "rh at coorp.gnulinux" @ "diretoria at coorp.gnulinux" @ "vendas at coorp.gnulinux" [Sssd] Domains = domaina.com Config_file_version = 2 Services = nss, pam [Domain / domaina.com] Ad_domain = domaina.com Krb5_realm = COORP.GNULINUX Realmd_tags = manages-system joined-with-samba Cache_credentials = True Id_provider = ad Krb5_store_password_if_offline = True Default_shell = / bin / bash Ldap_id_mapping = True Use_fully_qualified_names = True Fallback_homedir = / home /% u @% d Access_provider = ad Why does it happen ? Can someone please help me? -- Att, Edson Oliveira
Rowland Penny
2017-Mar-19 20:39 UTC
[Samba] Problem mapping extended acls with sssd and samba
On Sun, 19 Mar 2017 17:09:32 -0300 edson via samba <samba at lists.samba.org> wrote:> Hello. > > I have a file server with samba and sssd. Is working perfectly.Is it ?> > The problem is when I define extended ACLs using windows explorer. > Acls are not applied in the file system to the groups and users of > the domain.There you go, it obviously isn't ;-)> > But when I work with winbind I can apply the extended acls in the file > system. >Then the obvious fix for your problem is to use the Samba supported winbind instead of, the unsupported by Samba, sssd sssd has nothing to do with Samba, so if you want to continue using sssd, I would suggest you contact the sssd-users mailing list. You should also note, if you are going to set the ACLs from windows, you should not use the 'write list' option. Rowland
Thanks for the answer. But even removing the write list parameter, the problem persists. Excuse me. But the sssd service is working perfectly, and I see no reason to ask for help on the sssd user list. One important information is that when I apply the ACLs using the setfacl command the mapping is done and the permissions are applied. But when I use windows explorer the ACLs permissions are not applied. If anyone knows why this is happening, and be able to help me. I thank you. 2017-03-19 17:39 GMT-03:00 Rowland Penny <rpenny at samba.org>:> On Sun, 19 Mar 2017 17:09:32 -0300 > edson via samba <samba at lists.samba.org> wrote: > > > Hello. > > > > I have a file server with samba and sssd. Is working perfectly. > > Is it ? > > > > > The problem is when I define extended ACLs using windows explorer. > > Acls are not applied in the file system to the groups and users of > > the domain. > > There you go, it obviously isn't ;-) > > > > > But when I work with winbind I can apply the extended acls in the file > > system. > > > > Then the obvious fix for your problem is to use the Samba supported > winbind instead of, the unsupported by Samba, sssd > > sssd has nothing to do with Samba, so if you want to continue using > sssd, I would suggest you contact the sssd-users mailing list. > > You should also note, if you are going to set the ACLs from windows, > you should not use the 'write list' option. > > Rowland > >-- Att, Edson de Abreu Oliveira