On 10/12/2022 18:38, Luis Peromarta via samba wrote:> Contingency server (4.17.3):
>
> root at servercont:/home2# ls -lad /home2/shares
> drwxrwx---+ 23 luis domain admins 4096 Nov 17 14:17 /home2/shares
>
> root at servercont:/home2# getfacl /home2/shares
> getfacl: Removing leading '/' from absolute path names
> # file: home2/shares
> # owner: luis
> # group: domain\040admins
> user::rwx
> user:luis:rwx
> group::rwx
> group:domain\040users:r-x
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:luis:rwx
> default:group::---
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
> root at servercont:/home2# samba-tool ntacl get /home2/shares --as-sddl
>
O:S-1-5-21-2152908145-95474353-1514027631-1110G:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;CI;0x001200a9;;;DU)
> root at servercont:/home2#
From Windows, members of Domain Admins get full control and Domain
Users get read and execute. The user 'luis' is probably just a member of
Domain Users and so cannot write to the share.
>
> Main server (4.9.5):
>
> server:/home2# ls -lad /home2/shares
> drwxrwx---+ 23 luis domain admins 4096 Nov 17 14:17 /home2/shares
> server:/home2# getfacl /home2/shares
> getfacl: Removing leading '/' from absolute path names
> # file: home2/shares
> # owner: luis
> # group: domain\040admins
> user::rwx
> user:luis:rwx
> group::rwx
> group:domain\040users:r-x
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:luis:rwx
> default:group::---
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
> server:/home2# samba-tool ntacl get /home2/shares --as-sddl
> ERROR: Unable to read domain SID from configuration files
> server:/home2#
Hmm, why doesn't that work ?
You are running it as root ?
I have been taking another look at the smb.conf you posted and noticed a
couple of things:
You have,
vfs objects = fruit streams_xattr
and then a bit further down,
vfs objects = acl_xattr
The latter takes precedence over the first, or to put it another way,
the first one will be ignored.
You have also commented out the 'username map' line, why ?
Rowland