On Wed, 27 Sep 2017 14:48:44 -0500
Ryan Goode via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I recently upgraded from centos release 7.3 to 7.4 and samba 4.6.2 and
> noticed that when files/folders are added or manipulated from a
> windows PC via the share, extra ACLs get applied and i cannot figure
> out why. Nothing has changed configuration wise and i have tried all
> variations i can think of of different map settings, downgraded
> several releases of samba (4.4.4 failed to load due to some
> dependency issues).
>
> I spun up a templated centos VM to test and found the same issue as my
> physical server.
>
> im sharing /vault and heres the permission set of the folder:
> [root at template vault]# getfacl .
> # file: .
> # owner: root
> # group: root
> user::rwx
> group::rwx
> group:user_perm_storage_admin:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:user_perm_storage_admin:rwx
> default:mask::rwx
> default:other::---
>
> if i map a share from a windows or linux machine back to this via
> samba and create a folder/file, it looks like this:
>
> [root at template vault]# getfacl test/
> # file: test/
> # owner: ryan.goode
> # group: domain\040users
> user::rwx
> user:10513:rwx
This is strange, it looks like Domain Users is being treated as a user.
> user:14608:rwx
> group::rwx
> group:domain\040users:rwx
> group:ryan.goode:rwx
Why is there a group named after a user ?
> group:user_perm_storage_admin:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:ryan.goode:rwx
And here is the user.
> default:user:14608:rwx
> default:group::rwx
> default:group:domain\040users:rwx
> default:group:user_perm_storage_admin:rwx
> default:mask::rwx
> default:other::---
>
> The ACLs im refering to as being erroneous are:
> user:10513:rwx
> user:14608:rwx
> default:user:14608:rwx
>
> These correspond to groups in AD as seen here:
>
> [root at template vault]# getent group | grep 14608
> user_perm_storage_admin:x:14608:
> [root at template vault]# getent group | grep 10513
> domain users:x:10513:
Have you tried 'getent passwd | grep 10513' ?
>
> This wasnt happening when i originally setup these ACLs on my storage
> server and im trying to prevent this from happening further before it
> hoses my permission set.
>
> Im at a loss for what to do next and google has yielded no useful
> information that i can find.
>
> Any thoughts?
> - - - -
> smb.conf:
> #--authconfig--start-line--
>
> # Generated by authconfig on 2017/04/14 06:41:51
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
> workgroup = AD
> realm = AD.ALLGOODE.US
> security = ads
> template shell = /bin/bash
> kerberos method = secrets only
> winbind use default domain = true
> winbind offline logon = true
>
> #--authconfig--end-line--
> server string = Samba Server Version %v
>
> idmap config * : backend = tdb
> idmap config * : range = 5000 - 9999
> idmap config AD : backend = rid
> idmap config AD : range = 10000-20000
>
> #winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind cache time = 7200
> winbind nested groups = yes
>
> ea support = yes
What filesystem are you using ?
If it is ext4, you shouldn't use the above line.
Can you post:
/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
/etc/nsswitch.conf
Rowland