Mason Schmitt
2020-Feb-12 10:36 UTC
[Samba] Incorrect group name is displayed in folder permission list in Windows
Hello, Samba file server - OS = CentOS 7 - Samba version = 4.9 (from CentOS repos) Samba AD server - OS = Ubuntu 18.04.4 LTS - Samba version = 4.7 (from Ubuntu repos) Windows client OS = Windows 10 Pro 1909 Problem: Incorrect group name is displayed in folder permission list in Windows, just as described in this Windows support article <https://support.microsoft.com/en-us/help/2928800/incorrect-group-name-is-displayed-in-folder-permission-list-in-windows> Steps to reproduce: - Create a domain local group - Add a user to the domain local group - Apply an ACL to a folder on the samba file server using the domain local group as the principal - Use RSAT to change the name of the domain local group in samba AD - View the ACL - it still shows the old domain local group name Is there any way to get the ACL to display the new group name? I know I can create a new group, add users to the new group, use the new group in an ACL, delete the old principal from the ACL, then finally delete the old group, but that's a fair bit of work. -- Mason Schmitt Faster Than Light Computing Inc. (250) 804-4365 Ext. 203 mason at ftlcomputing.com *Relationship-Driven IT Support Services*
Rowland penny
2020-Feb-12 10:58 UTC
[Samba] Incorrect group name is displayed in folder permission list in Windows
On 12/02/2020 10:36, Mason Schmitt via samba wrote:> Hello, > > Samba file server > - OS = CentOS 7 > - Samba version = 4.9 (from CentOS repos) > > Samba AD server > - OS = Ubuntu 18.04.4 LTS > - Samba version = 4.7 (from Ubuntu repos) > > Windows client OS = Windows 10 Pro 1909 > > Problem: > Incorrect group name is displayed in folder permission list in Windows, just > as described in this Windows support article > <https://support.microsoft.com/en-us/help/2928800/incorrect-group-name-is-displayed-in-folder-permission-list-in-windows> > > Steps to reproduce: > - Create a domain local group > - Add a user to the domain local group > - Apply an ACL to a folder on the samba file server using the domain local > group as the principal > - Use RSAT to change the name of the domain local group in samba AD > - View the ACL - it still shows the old domain local group name > > > Is there any way to get the ACL to display the new group name? > > I know I can create a new group, add users to the new group, use the new > group in an ACL, delete the old principal from the ACL, then finally delete > the old group, but that's a fair bit of work. >Hi, can we start by seeing your smb.conf from the file server ? Rowland
Mason Schmitt
2020-Feb-12 11:16 UTC
[Samba] Incorrect group name is displayed in folder permission list in Windows
> > Hi, can we start by seeing your smb.conf from the file server ?###################################################### # Global Config # ###################################################### [global] kerberos method = system keytab workgroup = NAME security = ads realm = NAME.EXAMPLE.COM # Logging log file = /var/log/samba/%m.log log level = 3 # We're using the RID method of mapping SIDs to UID/GID idmap config NAME : range = 2000000-2999999 idmap config NAME : backend = rid idmap config * : range = 10000-999999 idmap config * : backend = tdb # Winbind winbind use default domain = no winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no # Map domain admin account to local root account # and resolve other "net rpc" issues username map = /etc/samba/user.map bind interfaces only = yes interfaces = lo eth0 # Enable Windows ACL support and make ACLs maximally compatible with NTFS ACLs. # Beyond setting the POSIX ownership and permissions for the share directory, all ACLs # should be managed in Windows. See the comment in the Shares section below for details # about our standard share configuration (both on the Linux/POSIX side and on the Windows side vfs objects = acl_xattr recycle acl_xattr:default acl style = windows #acl_xattr:ignore system acls = yes # PURE EVIL! If you value your sanity, don't use this option map acl inherit = yes store dos attributes = yes # Samba version 4.9.x enabled extended attribute support, by default. # This should be a good thing as it enables clients to make more intelligent decisions. # Unfortunately, customer reported that their old Windows 7 CE data collection device, # doesn't like the new settings, so we have to revert this feature. ea support = no ###################################################### # Global Security Settings # ###################################################### # Disable SMB1, it's too old and too insecure to be used anymore server min protocol = SMB2 # Samba AD users will not have access to a shell on linux hosts template shell = /bin/false # Netbios is dead, let's make it explicit disable netbios = yes # Win10 clients, that have negotiated an encrypted connection, # are not able to successfully re-connect to shares, # after being idle for an extended period of time. # Disabling encryption resolves this issue. smb encrypt = off # Hide shares from users that don't have permission to see them access based share enum = yes ###################################################### # Automatic creation of home directories # ###################################################### # !!! Important SELINUX configuration !!! # For automatic creation of home directories to work, # you must set two selinux booleans with the following commands: # setsebool -P samba_create_home_dirs 1 # setsebool -P samba_enable_home_dirs 1 # # Check that the selinux booleans were correctly set # getsebool -a | grep samba | grep home # # For samba to serve the home dirs, they must be labeled with the # selinux type 'samba_share_t' # During the installation of this server a policy was created for the # /srv/samba/ directory, which ensures all sub-folders/files are labeled # with samba_share_t. Therefore, as long as the home folders are located # under /srv/samba/ this labelling will be taken care of. # --- End of SELINUX configuration --- # Home directories will be created at this path with %U being replaced by # the username template homedir = /srv/samba/Shares/Home/%U # This share declaration works in conjunction with a GPO # When a user logs in for the first time, a new home folder will # be created for them on the file server and a mapped drive (H:) will # be created in the Windows profile on their computer. See the samba wiki for # details of how to create the GPO # https://wiki.samba.org/index.php/User_Home_Folders#Using_a_Group_Policy_Preference [Home] path = /srv/samba/Shares/Home comment = Share for user home dirs guest ok = no read only = no # Recyle bin recycle:repository = %U/Recycle_Bin recycle:versions = Yes recycle:keeptree = Yes recycle:touch = Yes recycle:exclude = *.tmp,~$* recycle:exclude_dir = %U/Recycle_Bin ###################################################### # Standard Shares # ###################################################### [Shares] path = /srv/samba/Shares comment = Parent share sets top level Windows file permission inheritance guest ok = no read only = no [Backup] path = /srv/samba/Shares/Backup comment = Create separate folders, with locked down permissions, for each application guest ok = no read only = no [FTL] path = /srv/samba/Shares/FTL comment = FTL tools and documents to help with on-site service guest ok = no read only = no [Software] path = /srv/samba/Shares/Software comment = Software for installation via GPO guest ok = no read only = no [Top] path = /srv/samba/Shares/Top comment = Top level file share guest ok = no read only = no # Recyle bin recycle:repository = Recycle_Bin/%U recycle:versions = Yes recycle:keeptree = Yes recycle:touch = Yes recycle:exclude = *.tmp,~$* recycle:exclude_dir = Recycle_Bin
Reasonably Related Threads
- Incorrect group name is displayed in folder permission list in Windows
- Question regarding Recycle
- Incorrect group name is displayed in folder permission list in Windows
- Incorrect group name is displayed in folder permission list in Windows
- Incorrect group name is displayed in folder permission list in Windows