Setup: Samba AD DC and Samba AD Member Server, Win10 clients only. Samba version 4.8.1 Has something changed recently in the way ACL's are supposed to work? My existing shares work just fine but any ALC changes I make using Windows are ignored in Samba. For example, I'm creating a new folder in Windows inside an existing share and I add user User1 or group Group1 in the security tab. User1 has a unique uidNumber, and Group1 has a unique gidNumber. Usually, this would propagate to Samba and I could verify the new ACLs using getfacl. But getfacl keeps showing me the same no matter what I do, i.e. root as owner and Domain Admins as default group. User1 or Group1 are not shown anywhere but in Windows though that doesn't seem enough, User1 is prevented from accessing the folder or its contents. I checked if there were changes on the wiki, mainly https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, but I didn't notice anything. I also checked if there is a problem on my system using the information found on https://wiki.samba.org/index.php/File_System_Support but ACLs work fine when I set them manually in Linux. My smb.conf [global] netbios name = FILESERVER workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab username map = /etc/samba/samba_usermap idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-99999 idmap config SAMDOM:unix_nss_info = yes winbind use default domain = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes load printers = no printing = bsd printcap name = /dev/null [myshare] path = /srv/samba/myshare comment = "My Data" guest ok = no writeable = yes create mask = 0666 directory mask = 0777 acl_xattr:ignore system acls = yes Any help is much appreciated. Slightly off topic: Is my assumption correct that gidNumbers and uidNumbers do not need to be distinct between each other, i.e. can a user have the same number as uidNumber that a group has as gidNumber?
On Sun, 13 May 2018 17:39:39 +0200 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> Setup: Samba AD DC and Samba AD Member Server, Win10 clients only. > Samba version 4.8.1 > > Has something changed recently in the way ACL's are supposed to work?No> My existing shares work just fine but any ALC changes I make using > Windows are ignored in Samba. > > For example, I'm creating a new folder in Windows inside an existing > share and I add user User1 or group Group1 in the security tab. User1 > has a unique uidNumber, and Group1 has a unique gidNumber. Usually, > this would propagate to Samba and I could verify the new ACLs using > getfacl. But getfacl keeps showing me the same no matter what I do, > i.e. root as owner and Domain Admins as default group. User1 or > Group1 are not shown anywhere but in Windows though that doesn't seem > enough, User1 is prevented from accessing the folder or its contents.Any changes in Windows should be be shown by getfacl, but the directory ownership shouldn't change and the user making the alterations must have the required privileges to make the changes.> username map = /etc/samba/samba_usermapWhat is in the 'samba_usermap' ?> [myshare] > path = /srv/samba/myshare > comment = "My Data" > guest ok = no > writeable = yes > create mask = 0666 > directory mask = 0777 > acl_xattr:ignore system acls = yesAs you are trying to use Windows ACLs, you should follow the info on the page you linked and stop getting creative ;-) Remove the 'guest ok' line, it is the default. Remove the two 'mask' lines, the last line is actually telling Samba to ignore them.> Slightly off topic: Is my assumption correct that gidNumbers and > uidNumbers do not need to be distinct between each other, i.e. can a > user have the same number as uidNumber that a group has as gidNumber?Yes, whilst every user must have a unique uidNumber and every group must have a unique gidNumber, there is nothing stopping a user and a group having the same number. Rowland
Hi Rowland, Thanks for replying again. On 13 May 2018 at 18:12, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 13 May 2018 17:39:39 +0200 > Viktor Trojanovic via samba <samba at lists.samba.org> wrote: > > [...] > > > username map = /etc/samba/samba_usermap > > What is in the 'samba_usermap' ? >!root = SAMDOM\Administrator SAMDOM\administrator> > > [myshare] > > path = /srv/samba/myshare > > comment = "My Data" > > guest ok = no > > writeable = yes > > create mask = 0666 > > directory mask = 0777 > > acl_xattr:ignore system acls = yes > > As you are trying to use Windows ACLs, you should follow the info on > the page you linked and stop getting creative ;-) >Trust me, I have no intention of getting creative. This is how I set up the share a year or two ago and haven't changed it in the meantime. It used to work. Now all of a sudden something doesn't.> Remove the 'guest ok' line, it is the default. > Remove the two 'mask' lines, the last line is actually telling Samba > to ignore them. >Yes, I read that, but didn't hurry to remove them as they shouldn't hurt. Will do so now, though.> > > Slightly off topic: Is my assumption correct that gidNumbers and > > uidNumbers do not need to be distinct between each other, i.e. can a > > user have the same number as uidNumber that a group has as gidNumber? > > Yes, whilst every user must have a unique uidNumber and every group > must have a unique gidNumber, there is nothing stopping a user and a > group having the same number. > >That's what I thought, thanks. Not knowing what else to try, I'll just go ahead and restart everything and see if this has any impact.