Hello,
Yes I wrote a mistike its not v4.6.6 but 4.6.5.
For "unix password sync = yes" it is an old parameters, it was ten
years ago an sftp server was installed with samba server.
Currently there is no ftp server.
Here is the AD object with RID 7022
objectClass: top
objectClass: group
cn: FREDGROUP
member: CN=fpt,CN=Users,DC=cogesys,DC=com
distinguishedName: CN=FREDGROUP,CN=Users,DC=cogesys,DC=com
instanceType: 4
whenCreated: 12/06/2007 09:46:04
whenChanged: 06/14/2017 07:21:18
uSNCreated: 20677766
memberOf: CN=Basic_Authentification,CN=Users,DC=cogesys,DC=com
uSNChanged: 44188593
name: FREDGROUP
objectGUID: {472F71F0-759B-46FD-BA08-053A9246080D}
objectSid: S-1-5-21-175208659-1627204559-885930912-7022
sAMAccountName: FREDGROUP
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=cogesys,DC=com
dSCorePropagationData: 11/30/2016 14:11:42
dSCorePropagationData: 01/01/1601 00:00:01
ADsPath: LDAP://godc6.cogesys.com/CN=FREDGROUP,CN=Users,DC=cogesys,DC=com
e : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland Penny
via samba
Envoyé : mardi 13 juin 2017 16:48
À : samba at lists.samba.org
Cc : Frédéric POUGNAULT
Objet : Re: [Samba] SMB_ACL_GROUP SMB_ACL_USER
On Tue, 13 Jun 2017 15:17:47 +0200
Frédéric POUGNAULT via samba <samba at lists.samba.org> wrote:
> I installed a samba server v 4.6.6,
Where did you get 4.6.6 from ?
The latest stable release is 4.6.5
>
> I use samba in classic mode (in /etc/default/sernet-samba).
No you are not, you have a Samba domain member.
>
> Samba is a member of a Windows server 2003 R2 domain.
>
>
> Here is my smb.conf :
Whilst there are things that I would change in your smb.conf, it should work
correctly. The only line I would highlight is this:
unix password sync = Yes
You cannot have the same user in AD and /etc/passwd, so why do you have this
line ?
>
> I created a share named "MyShare" where member of domain group
> FREDGROUP can read and write files and directories.
>
>
> Now I have user fpt, he is a member of group FREDGROUP and he create a
> directory name "TEST" in the share MyShare.
>
> Here is the ACL on the TEST directory :
>
>
> # file: /home/fred/TEST/
> # owner: fpt
> # group: root
> # flags: -s-
> user::rwx
> user:67022:r-x
> group::rwx
> group:root:rwx
> group:FREDGROUP:r-x
> group:fpt:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:67022:r-x
> default:user:fpt:rwx
> default:group::rwx
> default:group:root:rwx
> default:group:FREDGROUP:r-x
> default:mask::rwx
> default:other::---
>
> I don't understand why I have a user with uid 67022.
>
> 67022 is the gid of group FREDGROUP, I have no user with this uid in
> the domain.
How do you know ?
You are using the winbind 'rid' backend and this will allocated ID's
automatically from a simple calculation using the RID:
ID = RID - BASE_RID + LOW_RANGE_ID
Or using your figures:
67022 = RID - 0 + 60000
The RID must be:
RID = 67022 - 60000
RID = 7022
>
> I don't understand why I have a fpt group, there is no fpt group in
> the domain.
Are you running an ftp server on the computer ?
>
>
> When I activated the log acl:10 in smb.conf I saw this line :
>
>
> canon_ace index 2. Type = allow SID >
S-1-5-21-175208659-1627204559-885930912-7022 gid 67022 SMB_ACL_GROUP
> ace_flags = 0x0 perms r-x
>
> canon_ace index 5. Type = allow SID >
S-1-5-21-175208659-1627204559-885930912-7022 uid 67022 SMB_ACL_USER
> ace_flags = 0x3 perms r-x
Oh look, there is RID '7022', for some reason, something that looks like
a printer appears to be a user and group at the same time.
>
>
> Its seems samba didn't do difference between users and groups when he
> sets acl right on the directory.
>
It can, when everything is set up correctly.
Can you post the AD object for the '7022' RID
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Wed, 14 Jun 2017 10:41:10 +0200 Frédéric POUGNAULT <f.pougnault at galitt.com> wrote:> Hello, > > Yes I wrote a mistike its not v4.6.6 but 4.6.5. > > For "unix password sync = yes" it is an old parameters, it was ten > years ago an sftp server was installed with samba server. > > Currently there is no ftp server. > > > Here is the AD object with RID 7022 > > objectClass: top > objectClass: group > cn: FREDGROUP > member: CN=fpt,CN=Users,DC=cogesys,DC=com > distinguishedName: CN=FREDGROUP,CN=Users,DC=cogesys,DC=com > instanceType: 4 > whenCreated: 12/06/2007 09:46:04 > whenChanged: 06/14/2017 07:21:18 > uSNCreated: 20677766 > memberOf: CN=Basic_Authentification,CN=Users,DC=cogesys,DC=com > uSNChanged: 44188593 > name: FREDGROUP > objectGUID: {472F71F0-759B-46FD-BA08-053A9246080D} > objectSid: S-1-5-21-175208659-1627204559-885930912-7022 > sAMAccountName: FREDGROUP > sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=cogesys,DC=com > dSCorePropagationData: 11/30/2016 14:11:42 > dSCorePropagationData: 01/01/1601 00:00:01 > ADsPath: > LDAP://godc6.cogesys.com/CN=FREDGROUP,CN=Users,DC=cogesys,DC=com > >That definitely shows that '7022' is a group called 'FREDGROUP' Can you post the AD object for the DN 'CN=fpt,CN=Users,DC=cogesys,DC=com' Can you also check if 'ftp' is in /etc/passwd or /etc/group What OS are you using ? Rowland
The user ftp is present in /etc/passwd.
I use CentOS 6 x86_64.
Here is 'CN=fpt,CN=Users,DC=cogesys,DC=com'
cn: fpt
sn: POUGNAULT
givenName: Fr‚d‚ric
distinguishedName: CN=fpt,CN=Users,DC=cogesys,DC=com
instanceType: 4
whenCreated: 10/26/2011 13:32:54
whenChanged: 10/26/2011 13:33:03
displayName: Fr‚d‚ric POUGNAULT
uSNCreated: 25902109
memberOf: CN=G_Administration,CN=Users,DC=cogesys,DC=com
memberOf: CN=G_Infrastructure,CN=Users,DC=cogesys,DC=com
memberOf: CN=G_GALITT,CN=Users,DC=cogesys,DC=com
memberOf: CN=Utilisa. du domaine,CN=Users,DC=cogesys,DC=com
uSNChanged: 25902130
name: fpt
objectGUID: {40F8DBB9-5FEA-49BD-8EDF-E95A468E6076}
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131418968459982852
lastLogoff: 0
lastLogon: 131418287663438944
scriptPath: logon
logonHours: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff
pwdLastSet: 129641095752722145
primaryGroupID: 7057
objectSid: S-1-5-21-175208659-1627204559-885930912-7838
accountExpires: 0
logonCount: 5128
sAMAccountName: fpt
sAMAccountType: 805306368
userPrincipalName: fpt at cogesys.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cogesys,DC=com
dSCorePropagationData: 11/30/2016 14:11:42
dSCorePropagationData: 01/01/1601 00:00:01
ADsPath: LDAP://godc6.cogesys.com/CN=fpt,CN=Users,DC=cogesys,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
> Hello,
>
> Yes I wrote a mistike its not v4.6.6 but 4.6.5.
>
> For "unix password sync = yes" it is an old parameters, it was
ten
> years ago an sftp server was installed with samba server.
>
> Currently there is no ftp server.
>
>
> Here is the AD object with RID 7022
>
> objectClass: top
> objectClass: group
> cn: FREDGROUP
> member: CN=fpt,CN=Users,DC=cogesys,DC=com
> distinguishedName: CN=FREDGROUP,CN=Users,DC=cogesys,DC=com
> instanceType: 4
> whenCreated: 12/06/2007 09:46:04
> whenChanged: 06/14/2017 07:21:18
> uSNCreated: 20677766
> memberOf: CN=Basic_Authentification,CN=Users,DC=cogesys,DC=com
> uSNChanged: 44188593
> name: FREDGROUP
> objectGUID: {472F71F0-759B-46FD-BA08-053A9246080D}
> objectSid: S-1-5-21-175208659-1627204559-885930912-7022
> sAMAccountName: FREDGROUP
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=cogesys,DC=com
> dSCorePropagationData: 11/30/2016 14:11:42
> dSCorePropagationData: 01/01/1601 00:00:01
> ADsPath:
> LDAP://godc6.cogesys.com/CN=FREDGROUP,CN=Users,DC=cogesys,DC=com
>
>
That definitely shows that '7022' is a group called 'FREDGROUP'
Can you post the AD object for the DN
'CN=fpt,CN=Users,DC=cogesys,DC=com'
Can you also check if 'ftp' is in /etc/passwd or /etc/group
What OS are you using ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Wed, 14 Jun 2017 12:06:20 +0200 Frédéric POUGNAULT <f.pougnault at galitt.com> wrote:> The user ftp is present in /etc/passwd. > > I use CentOS 6 x86_64. > > Here is 'CN=fpt,CN=Users,DC=cogesys,DC=com' >This could very well be your problem, you cannot have a user or group in /etc/passwd &/or /etc/group and in AD. I would suggest you remove all mention of 'ftp' from /etc/passwd & /etc/group if you are not using FTP any more. Rowland
I found my problem, When I modify option inherit acl = no, I create a folder and acl are # file: Nouveau dossier/ # owner: fpt # group: root # flags: -s- user::rwx group::rwx group:FREDGROUP:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:FREDGROUP:r-x default:mask::rwx default:other::--- ACL user:67022:r-x is disappeared. Thank you for your help> My user is fpt and the user in /etc/passwd is ftp it's not the same > name >OOPS, guess I need to go to spexsavers (English advert for an optician) ;-) Could you try running 'net cache flush' on the Unix domain member, then reset the ACLs from Windows, now check the ACLs on share with getfacl again. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba