Hello, I installed a samba server v 4.6.6, I use samba in classic mode (in /etc/default/sernet-samba). Samba is a member of a Windows server 2003 R2 domain. Here is my smb.conf : [global] use sendfile = no gpfs:getrealfilename = no smb ports = 445 139 dos charset = 850 unix charset = UTF-8 interfaces = eth0 bind interfaces only = true workgroup = MYREALM passdb backend = tdbsam os level = 2 time server = yes unix extensions = yes encrypt passwords = yes log level = 0 acls:10 max protocol = SMB2 posix locking = no load printers = no name resolve order = wins host lmhosts bcast security = ADS password server = MyPasswordServer realm = MYREALM.COM netbios name = DATA30 winbind separator = + winbind cache time = 15 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /home%U template shell = /bin/bash logon path = \\server\%U unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *password:*all*authentication*tokens*updated*successfully Pam password change = yes client ntlmv2 auth = yes host msdfs = yes obey pam restrictions = Yes wins support = no wins server = MYWINS public = yes browseable = yes lm announce = yes browse list = yes auto services = yes remote browse sync = MyRemoteBrowseSync remote announce = X.X.X.0/24 server string inherit acls = yes map acl inherit = yes nt acl support = yes inherit permissions = no enhanced browsing = yes winbind use default domain = yes getwd cache = yes wide links = no include = /etc/samba/smb.conf.%m idmap config MYREALM : backend = rid idmap config MYREALM : range = 60000-50000000 idmap config MYREALM : base_rid = 0 idmap config * : range = 20000-30000 nmbd bind explicit broadcast = no [MyShare] comment path = /home/fred valid users = @MYREALM+FREDGROUP public = no writable = yes printable = no browsable = yes preserve case = yes short preserve case = yes default case = lower case sensitive = no msdfs root = yes create mask = 770 force create mode = 670 force directory mode = 770 directory mask = 770 store dos attributes = yes force group = root Here is the ACL on the directory /home/fred user::rwx group::rwx group:fredgroup:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:fredgroup:rwx default:mask::rwx default:other::--- I created a share named "MyShare" where member of domain group FREDGROUP can read and write files and directories. Now I have user fpt, he is a member of group FREDGROUP and he create a directory name "TEST" in the share MyShare. Here is the ACL on the TEST directory : # file: /home/fred/TEST/ # owner: fpt # group: root # flags: -s- user::rwx user:67022:r-x group::rwx group:root:rwx group:FREDGROUP:r-x group:fpt:rwx mask::rwx other::--- default:user::rwx default:user:67022:r-x default:user:fpt:rwx default:group::rwx default:group:root:rwx default:group:FREDGROUP:r-x default:mask::rwx default:other::--- I don't understand why I have a user with uid 67022. 67022 is the gid of group FREDGROUP, I have no user with this uid in the domain. I don't understand why I have a fpt group, there is no fpt group in the domain. When I activated the log acl:10 in smb.conf I saw this line : canon_ace index 2. Type = allow SID = S-1-5-21-175208659-1627204559-885930912-7022 gid 67022 SMB_ACL_GROUP ace_flags = 0x0 perms r-x canon_ace index 5. Type = allow SID = S-1-5-21-175208659-1627204559-885930912-7022 uid 67022 SMB_ACL_USER ace_flags = 0x3 perms r-x Its seems samba didn't do difference between users and groups when he sets acl right on the directory.
On Tue, 13 Jun 2017 15:17:47 +0200 Frédéric POUGNAULT via samba <samba at lists.samba.org> wrote:> I installed a samba server v 4.6.6,Where did you get 4.6.6 from ? The latest stable release is 4.6.5> > I use samba in classic mode (in /etc/default/sernet-samba).No you are not, you have a Samba domain member.> > Samba is a member of a Windows server 2003 R2 domain. > > > Here is my smb.conf :Whilst there are things that I would change in your smb.conf, it should work correctly. The only line I would highlight is this: unix password sync = Yes You cannot have the same user in AD and /etc/passwd, so why do you have this line ?> > I created a share named "MyShare" where member of domain group > FREDGROUP can read and write files and directories. > > > Now I have user fpt, he is a member of group FREDGROUP and he create > a directory name "TEST" in the share MyShare. > > Here is the ACL on the TEST directory : > > > # file: /home/fred/TEST/ > # owner: fpt > # group: root > # flags: -s- > user::rwx > user:67022:r-x > group::rwx > group:root:rwx > group:FREDGROUP:r-x > group:fpt:rwx > mask::rwx > other::--- > default:user::rwx > default:user:67022:r-x > default:user:fpt:rwx > default:group::rwx > default:group:root:rwx > default:group:FREDGROUP:r-x > default:mask::rwx > default:other::--- > > I don't understand why I have a user with uid 67022. > > 67022 is the gid of group FREDGROUP, I have no user with this uid in > the domain.How do you know ? You are using the winbind 'rid' backend and this will allocated ID's automatically from a simple calculation using the RID: ID = RID - BASE_RID + LOW_RANGE_ID Or using your figures: 67022 = RID - 0 + 60000 The RID must be: RID = 67022 - 60000 RID = 7022> > I don't understand why I have a fpt group, there is no fpt group in > the domain.Are you running an ftp server on the computer ?> > > When I activated the log acl:10 in smb.conf I saw this line : > > > canon_ace index 2. Type = allow SID > S-1-5-21-175208659-1627204559-885930912-7022 gid 67022 SMB_ACL_GROUP > ace_flags = 0x0 perms r-x > > canon_ace index 5. Type = allow SID > S-1-5-21-175208659-1627204559-885930912-7022 uid 67022 SMB_ACL_USER > ace_flags = 0x3 perms r-xOh look, there is RID '7022', for some reason, something that looks like a printer appears to be a user and group at the same time.> > > Its seems samba didn't do difference between users and groups when he > sets acl right on the directory. >It can, when everything is set up correctly. Can you post the AD object for the '7022' RID Rowland