Edouard Guigné
2018-Dec-10 13:47 UTC
[Samba] Extended acls with AD - problem with default/herited permissions
Hello, I set a share on a samba 4.7.1 as domain member with an Active Directory controler, this share is used by all domain users. All users from the AD domain have a primary group "Domain Users", and secondary groups to filter access on the folders of the share. I noticed that when a user create a sub-folder/file inside a "Top folder", the default permissions from the "Top folder" are well herited, but the acl "Domain Users" is always added. I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about this. So I made a test with "acl_xattr:ignore system acls = yes" in my smb.conf ; but it seems to disable extended acl to some folders... This is not a solution. I tried also chmod g+s on "Top folders", but other acl "Domain Users" is still added. I think something is bad in my smb.cfg, below is the result of testparm : # Global parameters [global] client max protocol = SMB3 client min protocol = SMB2 client signing = required disable spoolss = Yes domain master = No kerberos method = secrets and keytab load printers = No local master = No log file = /var/log/samba/%m.log name resolve order = wins bcast host lmhosts preferred master = No printcap name = /dev/null realm = IPGAD.PASTEUR-CAYENNE.FR security = ADS server signing = required winbind nss info = rfc2307 workgroup = IPGAD idmap config ipgad : unix_primary_group = yes idmap config ipgad : unix_nss_info = yes idmap config ipgad : range = 1-14999 idmap config ipgad : schema_mode = rfc2307 idmap config ipgad : backend = ad idmap config * : range = 15000-99999 idmap config * : backend = tdb cups options = raw hosts allow = 127. 10.9.8. hosts deny = 10.9.9. map acl inherit = Yes store dos attributes = Yes use sendfile = Yes vfs objects = acl_xattr [groups] comment = jaguar2 path = /var/datashared read only = No valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR" vfs objects = acl_xattr streams_xattr shadow_copy2 shadow:format = daily_%Y.%m.%d-%H.%M.%S shadow:localtime = yes shadow:sort = desc shadow:basedir = /var/datashared shadow:snapdir = /data/datashared/snapshots [homes] browseable = No comment = Home Directories create mask = 0700 directory mask = 0700 hide files = /~*.tmp/profile/desktop.ini/~$*/ path = /home read only = No valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR" May you help me to understand/solve the situation ? EdG
Edouard Guigné
2018-Dec-10 16:56 UTC
[Samba] Fwd: Extended acls with AD - problem with default/herited permissions
Hello, I add to my previous mail, the only way i found to disable acl "Domain Users" to be added is with : */inherit owner = yes/* This has the advantage to recopy exactly the default acl defined on the parent folder. But this has the disavantage to not show which user has created a folder/file and the ownership. Does something like "inherit group owner = yes" exist ? chmod g+s has no effect on my configuration. Best Regards, EdG -------- Message transféré -------- Sujet : Extended acls with AD - problem with default/herited permissions Date : Mon, 10 Dec 2018 10:47:20 -0300 De : Edouard Guigné <eguigne at pasteur-cayenne.fr> Pour : samba at lists.samba.org Hello, I set a share on a samba 4.7.1 as domain member with an Active Directory controler, this share is used by all domain users. All users from the AD domain have a primary group "Domain Users", and secondary groups to filter access on the folders of the share. I noticed that when a user create a sub-folder/file inside a "Top folder", the default permissions from the "Top folder" are well herited, but the acl "Domain Users" is always added. I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about this. So I made a test with "acl_xattr:ignore system acls = yes" in my smb.conf ; but it seems to disable extended acl to some folders... This is not a solution. I tried also chmod g+s on "Top folders", but other acl "Domain Users" is still added. I think something is bad in my smb.cfg, below is the result of testparm : # Global parameters [global] client max protocol = SMB3 client min protocol = SMB2 client signing = required disable spoolss = Yes domain master = No kerberos method = secrets and keytab load printers = No local master = No log file = /var/log/samba/%m.log name resolve order = wins bcast host lmhosts preferred master = No printcap name = /dev/null realm = IPGAD.PASTEUR-CAYENNE.FR security = ADS server signing = required winbind nss info = rfc2307 workgroup = IPGAD idmap config ipgad : unix_primary_group = yes idmap config ipgad : unix_nss_info = yes idmap config ipgad : range = 1-14999 idmap config ipgad : schema_mode = rfc2307 idmap config ipgad : backend = ad idmap config * : range = 15000-99999 idmap config * : backend = tdb cups options = raw hosts allow = 127. 10.9.8. hosts deny = 10.9.9. map acl inherit = Yes store dos attributes = Yes use sendfile = Yes vfs objects = acl_xattr [groups] comment = jaguar2 path = /var/datashared read only = No valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR" vfs objects = acl_xattr streams_xattr shadow_copy2 shadow:format = daily_%Y.%m.%d-%H.%M.%S shadow:localtime = yes shadow:sort = desc shadow:basedir = /var/datashared shadow:snapdir = /data/datashared/snapshots [homes] browseable = No comment = Home Directories create mask = 0700 directory mask = 0700 hide files = /~*.tmp/profile/desktop.ini/~$*/ path = /home read only = No valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR" May you help me to understand/solve the situation ? EdG
Dale
2018-Dec-10 17:58 UTC
[Samba] Fwd: Extended acls with AD - problem with default/herited permissions
Edouard,
These are the 4 available parameters containing the word "inherit".
inherit acls (S)
inherit owner (S)
inherit permissions (S)
map acl inherit (S)
Would "inherit acls" work for you?
Dale
On 12/10/18 10:56 AM, Edouard Guigné via samba wrote:> Hello,
>
> I add to my previous mail, the only way i found to disable acl "Domain
> Users" to be added is with :
>
> */inherit owner = yes/*
>
> This has the advantage to recopy exactly the default acl defined on
> the parent folder.
> But this has the disavantage to not show which user has created a
> folder/file and the ownership.
>
> Does something like "inherit group owner = yes" exist ?
> chmod g+s has no effect on my configuration.
>
> Best Regards,
>
> EdG
>
>
>
> -------- Message transféré --------
> Sujet : Extended acls with AD - problem with default/herited
> permissions
> Date : Mon, 10 Dec 2018 10:47:20 -0300
> De : Edouard Guigné <eguigne at pasteur-cayenne.fr>
> Pour : samba at lists.samba.org
>
>
>
> Hello,
>
> I set a share on a samba 4.7.1 as domain member with an Active
> Directory controler, this share is used by all domain users.
>
> All users from the AD domain have a primary group "Domain Users",
and
> secondary groups to filter access on the folders of the share.
> I noticed that when a user create a sub-folder/file inside a "Top
> folder", the default permissions from the "Top folder" are
well
> herited, but the acl "Domain Users" is always added.
>
> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about this.
> So I made a test with "acl_xattr:ignore system acls = yes" in my
> smb.conf ; but it seems to disable extended acl to some folders...
> This is not a solution.
>
> I tried also chmod g+s on "Top folders", but other acl
"Domain Users"
> is still added.
>
> I think something is bad in my smb.cfg, below is the result of testparm :
>
> # Global parameters
> [global]
> client max protocol = SMB3
> client min protocol = SMB2
> client signing = required
> disable spoolss = Yes
> domain master = No
> kerberos method = secrets and keytab
> load printers = No
> local master = No
> log file = /var/log/samba/%m.log
> name resolve order = wins bcast host lmhosts
> preferred master = No
> printcap name = /dev/null
> realm = IPGAD.PASTEUR-CAYENNE.FR
> security = ADS
> server signing = required
> winbind nss info = rfc2307
> workgroup = IPGAD
> idmap config ipgad : unix_primary_group = yes
> idmap config ipgad : unix_nss_info = yes
> idmap config ipgad : range = 1-14999
> idmap config ipgad : schema_mode = rfc2307
> idmap config ipgad : backend = ad
> idmap config * : range = 15000-99999
> idmap config * : backend = tdb
> cups options = raw
> hosts allow = 127. 10.9.8.
> hosts deny = 10.9.9.
> map acl inherit = Yes
> store dos attributes = Yes
> use sendfile = Yes
> vfs objects = acl_xattr
>
>
> [groups]
> comment = jaguar2
> path = /var/datashared
> read only = No
> valid users = "@utilisateurs du domaine at
IPGAD.PASTEUR-CAYENNE.FR"
> vfs objects = acl_xattr streams_xattr shadow_copy2
> shadow:format = daily_%Y.%m.%d-%H.%M.%S
> shadow:localtime = yes
> shadow:sort = desc
> shadow:basedir = /var/datashared
> shadow:snapdir = /data/datashared/snapshots
>
>
> [homes]
> browseable = No
> comment = Home Directories
> create mask = 0700
> directory mask = 0700
> hide files = /~*.tmp/profile/desktop.ini/~$*/
> path = /home
> read only = No
> valid users = "@utilisateurs du domaine at
IPGAD.PASTEUR-CAYENNE.FR"
>
> May you help me to understand/solve the situation ?
>
> EdG
>
Seemingly Similar Threads
- Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions