Hello list, following the guidance from here (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) I have set up a file server which is member of a Samba 4.6.9 AD domain. I have created ACLs using a Windows client with a domain admin account. While I have no issues with some folders, the server denies access to others to users that should have access by means of group membership. I tried to simulate this using the "Effective access" tab in the security settings per folder using the admin account where it shows that access should be granted to the respective user. However, I noted that sometimes the group SIDs are not properly resolved to the names. The file server itself is using sssd instead of winbind. Administrator is mapped to root using the mapping file, the filesystem underneath the share is BTRFS. Any suggestion where I could dig deeper? The respective section from smb.conf: [global] realm = SAMBA.MYDOMAIN.COM security = ADS kerberos method = secrets and keytab server role = member server server services = s3fs disable netbios = yes smb ports = 445 idmap_ldb:use rfc2307 = yes browseable=yes username map = /etc/samba/file.map vfs objects = streams_xattr acl_xattr map acl inherit = yes store dos attributes = yes [ShareName] comment = Description path = /mnt/data/sharedir read only = No vfs objects = acl_xattr recycle snapper btrfs recycle:keeptree = yes recycle:maxsize = 536870912 Thanks a lot! Best regards Johannes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20171108/45dceedd/signature.sig>
On Wed, 8 Nov 2017 12:59:28 +0100 Johannes Engel via samba <samba at lists.samba.org> wrote:> Hello list, > > following the guidance from here > (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) > I have set up a file server which is member of a Samba 4.6.9 AD > domain. > > I have created ACLs using a Windows client with a domain admin > account. While I have no issues with some folders, the server denies > access to others to users that should have access by means of group > membership. > > I tried to simulate this using the "Effective access" tab in the > security settings per folder using the admin account where it shows > that access should be granted to the respective user. However, I > noted that sometimes the group SIDs are not properly resolved to the > names. > > The file server itself is using sssd instead of winbind. Administrator > is mapped to root using the mapping file, the filesystem underneath > the share is BTRFS. > > Any suggestion where I could dig deeper? > > The respective section from smb.conf: > > [global] > realm = SAMBA.MYDOMAIN.COM > security = ADS > kerberos method = secrets and keytab > server role = member server > server services = s3fs > disable netbios = yes > smb ports = 445 > idmap_ldb:use rfc2307 = yes > browseable=yes > username map = /etc/samba/file.map > vfs objects = streams_xattr acl_xattr > map acl inherit = yes > store dos attributes = yes > > [ShareName] > comment = Description > path = /mnt/data/sharedir > read only = No > vfs objects = acl_xattr recycle snapper btrfs > recycle:keeptree = yes > recycle:maxsize = 536870912 > > Thanks a lot! > > Best regards > Johannes >'server services = s3fs' & 'idmap_ldb:use rfc2307 = yes' only make sense on a DC. As for your problem, it very probably isn't a Samba problem, I say this because you are using sssd for authentication and sssd has nothing to do with Samba. You should get better help on the sssd-users mailing list. Failing that, purge sssd and set up windbind, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Hi Rowland, thanks a lot for your hint. After replacing sssd with winbind it seems to work also with Windows ACLs. Best regards Johannes Am 08.11.2017 um 13:20 schrieb Rowland Penny:> On Wed, 8 Nov 2017 12:59:28 +0100 > Johannes Engel via samba <samba at lists.samba.org> wrote: > >> Hello list, >> >> following the guidance from here >> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) >> I have set up a file server which is member of a Samba 4.6.9 AD >> domain. >> >> I have created ACLs using a Windows client with a domain admin >> account. While I have no issues with some folders, the server denies >> access to others to users that should have access by means of group >> membership. >> >> I tried to simulate this using the "Effective access" tab in the >> security settings per folder using the admin account where it shows >> that access should be granted to the respective user. However, I >> noted that sometimes the group SIDs are not properly resolved to the >> names. >> >> The file server itself is using sssd instead of winbind. Administrator >> is mapped to root using the mapping file, the filesystem underneath >> the share is BTRFS. >> >> Any suggestion where I could dig deeper? >> >> The respective section from smb.conf: >> >> [global] >> realm = SAMBA.MYDOMAIN.COM >> security = ADS >> kerberos method = secrets and keytab >> server role = member server >> server services = s3fs >> disable netbios = yes >> smb ports = 445 >> idmap_ldb:use rfc2307 = yes >> browseable=yes >> username map = /etc/samba/file.map >> vfs objects = streams_xattr acl_xattr >> map acl inherit = yes >> store dos attributes = yes >> >> [ShareName] >> comment = Description >> path = /mnt/data/sharedir >> read only = No >> vfs objects = acl_xattr recycle snapper btrfs >> recycle:keeptree = yes >> recycle:maxsize = 536870912 >> >> Thanks a lot! >> >> Best regards >> Johannes >> > 'server services = s3fs' & 'idmap_ldb:use rfc2307 = yes' only make > sense on a DC. > > As for your problem, it very probably isn't a Samba problem, I say this > because you are using sssd for authentication and sssd has nothing to > do with Samba. > You should get better help on the sssd-users mailing list. > Failing that, purge sssd and set up windbind, see here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Rowland >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20171108/188b3140/signature.sig>