samba - Oct 2020 - Are those file and folder ACLs to be expected?

Greetings Rowland.

The NAS we have does not allow SSH connections, only a web interface for
management and therefore I'm unable to provide the conf file.
The group "users" is actually named "artists" and it's
created by me. I
needed a group with a simpler name.

The version of Samba is 4.10.4.
Let me know if there's anything else I can provide and could be of help.

On Tue, Oct 13, 2020 at 11:50 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 13/10/2020 09:23, Z Z via samba wrote:
> > Hello.
> >
> > I've got a working SAMBA AD server. I'm able to join both
Linux (winbind)
> > and Windows clients. I have also joined an NAS that hosts some
> > shares/folders to be used by multiple machines (Linux and Windows 10).
On
> > my Linux host I'm accessing the NAS via NFS mount, while on my
Windows
> > machine obviously I'm using SMB.
> > I'm using the ad ID mapping backend with uId and gId that I'm
managing
> > manually.
> > I have noticed something strange, though.
> >  From my Linux computer I created folder on the NAS:
> >
> > mkdir TEST
> >
> >
> > The folder has it's ownership as *username:users *and mask 775
which is
> > what I want:
> >
> > drwxrwxr-x   2 myname users    6 Oct 13 10:51 TEST
> >
> >
> > Afterwards I log in to my Windows 10 computer, access the same folder
and
> > create a subfolder inside of it.
> > Coming back to my Linux machine I browse and check the newly created
> folder:
> >
> > drwxrwxr-x+ 2 myname users 10 Oct 13 10:59 winfolder
> >
> >
> > Seems like the Windows-created folder has extended attributes.
Let's
> check
> > them with *getfacl winfolder:*
> >
> > # file: winfolder
> >> # owner: myname
> >> # group: users
> You say this is on a domain joined NAS, so why is 'users' not
'Domain
> Users' ?
> >> user::rwx
> >> user:11001119:r-x
> >> group::r-x
> >> group:users:r-x
> >> group:11001120:rwx
> >> mask::rwx
> >> other::r-x
> >> default:user::rwx
> >> default:user:myname:rwx
> >> default:group::r-x
> >> default:group:users:r-x
> >> default:mask::rwx
> >> default:other::r-x
> >
> >   Here it comes the confusion. Those IDs are the ones of my user
> (11001119)
> > and group (11001120). But I don't understand why on the second
user line
> > I'm getting the uId, while on the *default:user:*  line the uId is
being
> > resolved to my username?
> I have no idea, the share is on your NAS and you haven't supplied the
> smb.conf for that
>
> What versions of Samba are you using ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 13/10/2020 10:10, Z Z wrote:
> Greetings Rowland.
>
> The NAS we have does not allow SSH connections, only a web interface 
> for management and therefore I'm unable?to provide the conf file.
> The group "users" is actually named "artists" and
it's created by me.
> I needed a group with a simpler name.
>
> The version of Samba is 4.10.4.
> Let me know if there's anything else I can provide and could be of
help.
Without being able to see the smb.conf from the NAS, I can only comment 
on what I can see.

You have a few parameters set in your DC smb.conf that you do not need, 
especially if you are not using it as a fileserver and it isn't 
recommended to use a DC as a fileserver.

You have a line missing from you Linux client smb.conf:

idmap config * : range = ????-????

Where '????-????' is a numerical range different from the Domain range.

You mention that you are using NFS for the Linux clients and SMB for the 
Windows clients, I hope that you are not sharing the NFS exports via SMB 
as well, this is not recommended.

Rowland

I do have those lines, I just unintentionally skipped 'em in my initial
email:

idmap config * : backend = tdb
idmap config * : range = 3000-7999


I do need to access the same data from both Linux and Windows, so the NAS
provides both NFS and SMB services. If I switch over to SMB on my Linux
computer would that make any difference?

Thanks

On Tue, Oct 13, 2020 at 12:29 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 13/10/2020 10:10, Z Z wrote:
> > Greetings Rowland.
> >
> > The NAS we have does not allow SSH connections, only a web interface
> > for management and therefore I'm unable to provide the conf file.
> > The group "users" is actually named "artists" and
it's created by me.
> > I needed a group with a simpler name.
> >
> > The version of Samba is 4.10.4.
> > Let me know if there's anything else I can provide and could be of
help.
>
> Without being able to see the smb.conf from the NAS, I can only comment
> on what I can see.
>
> You have a few parameters set in your DC smb.conf that you do not need,
> especially if you are not using it as a fileserver and it isn't
> recommended to use a DC as a fileserver.
>
> You have a line missing from you Linux client smb.conf:
>
> idmap config * : range = ????-????
>
> Where '????-????' is a numerical range different from the Domain
range.
>
> You mention that you are using NFS for the Linux clients and SMB for the
> Windows clients, I hope that you are not sharing the NFS exports via SMB
> as well, this is not recommended.
>
>
>