samba - Jan 2019 - Windows ACL behaviour in standalone fileservers (LDAP vs TDB)

Hi,

I'm building and managing standalone fileservers (security = user) with 
various passdb backends. I'm noticing different behaviour of Windows 
ACLs for servers with LDAP and TDB passdb backends.

In a LDAP backed server (which I started with) I can freely add 
filesystem permissions (eg for groups) to objects (files/folders) via 
the Windows (7) permissions editor.

In a TDB backed server I can only add permission to a folder for a group 
if the containing folder has (any) permissions for that group. 
Additionally I have to enter my credentials again in the permissions 
editor, which isn't needed on the LDAP backed server.

Configuration for both servers from a "result view" looks identical to
me:
- "net groupmap list" is identical
- both use "security = user" and "acl_xattr"

I'm obviously not an expert for Windows ACLs, a workmate Windows Admin 
told me that the second behaviour is what he would expect, still I'm 
confused.

Samba is 4.8.3 on CentOS 7.

thx
Matthias

I noticed I didn't ask a question ;-)

Has anybody seen this behaviour? Can this be explained?

thank you
matthias

Am 23.01.19 um 11:50 schrieb Matthias Leopold via samba:
> Hi,
> 
> I'm building and managing standalone fileservers (security = user) with
> various passdb backends. I'm noticing different behaviour of Windows 
> ACLs for servers with LDAP and TDB passdb backends.
> 
> In a LDAP backed server (which I started with) I can freely add 
> filesystem permissions (eg for groups) to objects (files/folders) via 
> the Windows (7) permissions editor.
> 
> In a TDB backed server I can only add permission to a folder for a group 
> if the containing folder has (any) permissions for that group. 
> Additionally I have to enter my credentials again in the permissions 
> editor, which isn't needed on the LDAP backed server.
> 
> Configuration for both servers from a "result view" looks
identical to me:
> - "net groupmap list" is identical
> - both use "security = user" and "acl_xattr"
> 
> I'm obviously not an expert for Windows ACLs, a workmate Windows Admin 
> told me that the second behaviour is what he would expect, still I'm 
> confused.
> 
> Samba is 4.8.3 on CentOS 7.
> 
> thx
> Matthias
>

On Mon, 28 Jan 2019 10:09:43 +0100
Matthias Leopold via samba <samba at lists.samba.org> wrote:
> I noticed I didn't ask a question ;-)
> 
I noticed that you didn't give us much to work with ;-)

Can you post the smb.conf files from the working ldap machine and the
non-working 'tdb' machine.

Rowland