thr3ads.net - samba - [Samba] Regarding User/Group ACLs [Sep 2025]

If this information is useful, please help other people find it:
Share via:

., Srikanth N S

2025-Sep-15 16:21 UTC

[Samba] Regarding User/Group ACLs

Hi Rowland,

Please find below smb.conf. User ?Jess.Lacey? is in read list but the group
"@Human Resources? that this user belongs to is present in write list. We
are seeing that user ?Jess.Lacey? can write even though it is mentioned in read
list.

[global]
        netbios name = KJLMO4
        workgroup = GATEWAY
        security = ads
        clustering = yes
        kerberos method = system keytab
        realm = GATEWAY.COM
        idmap config * : range = 10000-199999
        idmap config * : backend = tdb
        winbind use default domain = yes
        winbind refresh tickets = yes
        winbind cache time = 1
        smb3 share cap:continuous availability = yes
        smbd profiling level = on
        idmap config GATEWAY : range = 200000-2000200000
        idmap config GATEWAY : backend = rid

[AI-Org]
        path = /run/lustre_client/mountpoint/Perplexity-AI
        read only = no
        read list = "Jess.Lacey"
        write list = "ashok.v","@Human Resources"

Thanks & Regards,
Srikanth NS

From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Date: Monday, 15 September 2025 at 7:38?PM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Regarding User/Group ACLs

On Mon, 15 Sep 2025 13:59:39 +0000
"., Srikanth N S via samba" <samba at lists.samba.org> wrote:
> Thanks Rowland I was able to check the URL and read through the URL.
> But I am sorry I could not figure out what wrong we are doing. Could
> you please help.
>
Okay, please post the output of either 'samba-tool testparm
--suppress-prompt' if it is a Samba AD DC or 'testparm -s' if it is
a
Unix domain member (aka fileserver).

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: 
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!maNHR5n4aKtmsr4vqptBaKvOkvcQD3slDDQTX-aNYcSvmOasUfoGffK_6vKlFoMsPPUqEipuhmLNi2QWJVbE6m8AJnJ4iy-o$

Luis Peromarta

2025-Sep-15 16:33 UTC

head link

[Samba] Regarding User/Group ACLs

Hi.

I think you need to do a lot of reading before. Shares in a member server in an
AD are not configured this way.

Also your RID ranges seem a bit too high, I don?t think you need to specify the
REALM there, I?d start from new with this config.

See this :

http://samba.bigbird.es/doku.php?id=samba:file-server


And this:

http://samba.bigbird.es/doku.php?id=samba:configuring-shares

On 15 Sep 2025 at 17:22 +0100, ., Srikanth N S via samba <samba at
lists.samba.org>, wrote:> Hi Rowland,
>
> Please find below smb.conf. User ?Jess.Lacey? is in read list but the group
"@Human Resources? that this user belongs to is present in write list. We
are seeing that user ?Jess.Lacey? can write even though it is mentioned in read
list.
>
> [global]
> netbios name = KJLMO4
> workgroup = GATEWAY
> security = ads
> clustering = yes
> kerberos method = system keytab
> realm = GATEWAY.COM
> idmap config * : range = 10000-199999
> idmap config * : backend = tdb
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind cache time = 1
> smb3 share cap:continuous availability = yes
> smbd profiling level = on
> idmap config GATEWAY : range = 200000-2000200000
> idmap config GATEWAY : backend = rid
>
> [AI-Org]
> path = /run/lustre_client/mountpoint/Perplexity-AI
> read only = no
> read list = "Jess.Lacey"
> write list = "ashok.v","@Human Resources"
>
> Thanks & Regards,
> Srikanth NS
>
> From: samba <samba-bounces at lists.samba.org> on behalf of Rowland
Penny via samba <samba at lists.samba.org>
> Date: Monday, 15 September 2025 at 7:38?PM
> To: samba at lists.samba.org <samba at lists.samba.org>
> Cc: Rowland Penny <rpenny at samba.org>
> Subject: Re: [Samba] Regarding User/Group ACLs
>
> On Mon, 15 Sep 2025 13:59:39 +0000
> "., Srikanth N S via samba" <samba at lists.samba.org>
wrote:
>
> > Thanks Rowland I was able to check the URL and read through the URL.
> > But I am sorry I could not figure out what wrong we are doing. Could
> > you please help.
> >
>
> Okay, please post the output of either 'samba-tool testparm
> --suppress-prompt' if it is a Samba AD DC or 'testparm -s' if
it is a
> Unix domain member (aka fileserver).
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!maNHR5n4aKtmsr4vqptBaKvOkvcQD3slDDQTX-aNYcSvmOasUfoGffK_6vKlFoMsPPUqEipuhmLNi2QWJVbE6m8AJnJ4iy-o$
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

samba - Sep 2025 - Regarding User/Group ACLs

[Samba] Regarding User/Group ACLs

[Samba] Regarding User/Group ACLs