thr3ads.net - samba - [Samba] Regarding User/Group ACLs [Sep 2025]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2025-Sep-15 17:07 UTC

[Samba] Regarding User/Group ACLs

On Mon, 15 Sep 2025 17:33:02 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> Hi.
> 
> I think you need to do a lot of reading before. Shares in a member
> server in an AD are not configured this way.
Which is why I pointed at the correct documentation, but this appears
to be a member of a cluster and if it isn't, then the 'clustering'
line
should be removed.
> 
> Also your RID ranges seem a bit too high, I don?t think you need to
> specify the REALM there, I?d start from new with this config.
High ? I would go as far as extremely high, you only really need approx
200 IDs for the default domain and 2,000,000,000 users for the
'GATEWAY' domain, well that is more than some small countries ;-)

I would also suggest adding 'vfs objects = acl_xattr' and ' map acl
inherit = Yes' to the smb.conf and then following the Samba wiki.

Rowland
> 
> See this :
> 
> http://samba.bigbird.es/doku.php?id=samba:file-server
> 
> 
> And this:
> 
> http://samba.bigbird.es/doku.php?id=samba:configuring-shares
> 
> On 15 Sep 2025 at 17:22 +0100, ., Srikanth N S via samba
> <samba at lists.samba.org>, wrote:
> > Hi Rowland,
> >
> > Please find below smb.conf. User ?Jess.Lacey? is in read list but
> > the group "@Human Resources? that this user belongs to is present
> > in write list. We are seeing that user ?Jess.Lacey? can write even
> > though it is mentioned in read list.
> >
> > [global]
> > netbios name = KJLMO4
> > workgroup = GATEWAY
> > security = ads
> > clustering = yes
> > kerberos method = system keytab
> > realm = GATEWAY.COM
> > idmap config * : range = 10000-199999
> > idmap config * : backend = tdb
> > winbind use default domain = yes
> > winbind refresh tickets = yes
> > winbind cache time = 1
> > smb3 share cap:continuous availability = yes
> > smbd profiling level = on
> > idmap config GATEWAY : range = 200000-2000200000
> > idmap config GATEWAY : backend = rid
> >
> > [AI-Org]
> > path = /run/lustre_client/mountpoint/Perplexity-AI
> > read only = no
> > read list = "Jess.Lacey"
> > write list = "ashok.v","@Human Resources"
> >
> > Thanks & Regards,
> > Srikanth NS
> >
> > From: samba <samba-bounces at lists.samba.org> on behalf of
Rowland
> > Penny via samba <samba at lists.samba.org> Date: Monday, 15
September
> > 2025 at 7:38?PM To: samba at lists.samba.org <samba at
lists.samba.org>
> > Cc: Rowland Penny <rpenny at samba.org>
> > Subject: Re: [Samba] Regarding User/Group ACLs
> >
> > On Mon, 15 Sep 2025 13:59:39 +0000
> > "., Srikanth N S via samba" <samba at lists.samba.org>
wrote:
> >
> > > Thanks Rowland I was able to check the URL and read through the
> > > URL. But I am sorry I could not figure out what wrong we are
> > > doing. Could you please help.
> > >
> >
> > Okay, please post the output of either 'samba-tool testparm
> > --suppress-prompt' if it is a Samba AD DC or 'testparm -s'
if it is
> > a Unix domain member (aka fileserver).
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:
> >
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!maNHR5n4aKtmsr4vqptBaKvOkvcQD3slDDQTX-aNYcSvmOasUfoGffK_6vKlFoMsPPUqEipuhmLNi2QWJVbE6m8AJnJ4iy-o$
> > -- To unsubscribe from this list go to the following URL and read
> > the instructions: https://lists.samba.org/mailman/options/samba

Luis Peromarta

2025-Sep-15 17:22 UTC

head link

[Samba] Regarding User/Group ACLs

Just over 2 billion possible users.

Countries with the largest populations:

	?	India ? ~1.44 billion
	?	China ? ~1.41 billion

So you could give one user to every person in either of those countries, but not
both.
On 15 Sep 2025 at 18:07 +0100, samba at lists.samba.org <samba at
lists.samba.org>, wrote:>
> 2,000,000,000 users for the
> 'GATEWAY' domain, well that is more than some small countries ;-)

., Srikanth N S

2025-Sep-16 03:19 UTC

head link

[Samba] Regarding User/Group ACLs

Thanks Rowland, Luis. We will look at your suggestions.

One more question on read list and write list.

For a particular share, if a group, say group1,  is added in write list and one
of the users, say user1, in group1 is added in the read list then we are seeing
that write list takes precedence. In other words, user1 can write even though he
is in read list. It seems like this is an expected behaviour. Please confirm.

Thanks & Regards,
Srikanth NS

From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Date: Monday, 15 September 2025 at 10:38?PM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Regarding User/Group ACLs

On Mon, 15 Sep 2025 17:33:02 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> Hi.
>
> I think you need to do a lot of reading before. Shares in a member
> server in an AD are not configured this way.
Which is why I pointed at the correct documentation, but this appears
to be a member of a cluster and if it isn't, then the 'clustering'
line
should be removed.
>
> Also your RID ranges seem a bit too high, I don?t think you need to
> specify the REALM there, I?d start from new with this config.
High ? I would go as far as extremely high, you only really need approx
200 IDs for the default domain and 2,000,000,000 users for the
'GATEWAY' domain, well that is more than some small countries ;-)

I would also suggest adding 'vfs objects = acl_xattr' and ' map acl
inherit = Yes' to the smb.conf and then following the Samba wiki.

Rowland
>
> See this :
>
>
https://urldefense.com/v3/__http://samba.bigbird.es/doku.php?id=samba:file-server__;!!NpxR!lo6t2FU4rSVbx2EJHksvI0d0NI3v7m2t_c_myN5XkBGzOIroLx6R7O5jCySgfOWFcKhu9XFLf-aO79a1EGpxMA0lsl4l4vFu$
>
>
> And this:
>
>
https://urldefense.com/v3/__http://samba.bigbird.es/doku.php?id=samba:configuring-shares__;!!NpxR!lo6t2FU4rSVbx2EJHksvI0d0NI3v7m2t_c_myN5XkBGzOIroLx6R7O5jCySgfOWFcKhu9XFLf-aO79a1EGpxMA0lsjj18A5J$
>
> On 15 Sep 2025 at 17:22 +0100, ., Srikanth N S via samba
> <samba at lists.samba.org>, wrote:
> > Hi Rowland,
> >
> > Please find below smb.conf. User ?Jess.Lacey? is in read list but
> > the group "@Human Resources? that this user belongs to is present
> > in write list. We are seeing that user ?Jess.Lacey? can write even
> > though it is mentioned in read list.
> >
> > [global]
> > netbios name = KJLMO4
> > workgroup = GATEWAY
> > security = ads
> > clustering = yes
> > kerberos method = system keytab
> > realm = GATEWAY.COM
> > idmap config * : range = 10000-199999
> > idmap config * : backend = tdb
> > winbind use default domain = yes
> > winbind refresh tickets = yes
> > winbind cache time = 1
> > smb3 share cap:continuous availability = yes
> > smbd profiling level = on
> > idmap config GATEWAY : range = 200000-2000200000
> > idmap config GATEWAY : backend = rid
> >
> > [AI-Org]
> > path = /run/lustre_client/mountpoint/Perplexity-AI
> > read only = no
> > read list = "Jess.Lacey"
> > write list = "ashok.v","@Human Resources"
> >
> > Thanks & Regards,
> > Srikanth NS
> >
> > From: samba <samba-bounces at lists.samba.org> on behalf of
Rowland
> > Penny via samba <samba at lists.samba.org> Date: Monday, 15
September
> > 2025 at 7:38?PM To: samba at lists.samba.org <samba at
lists.samba.org>
> > Cc: Rowland Penny <rpenny at samba.org>
> > Subject: Re: [Samba] Regarding User/Group ACLs
> >
> > On Mon, 15 Sep 2025 13:59:39 +0000
> > "., Srikanth N S via samba" <samba at lists.samba.org>
wrote:
> >
> > > Thanks Rowland I was able to check the URL and read through the
> > > URL. But I am sorry I could not figure out what wrong we are
> > > doing. Could you please help.
> > >
> >
> > Okay, please post the output of either 'samba-tool testparm
> > --suppress-prompt' if it is a Samba AD DC or 'testparm -s'
if it is
> > a Unix domain member (aka fileserver).
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:
> >
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!maNHR5n4aKtmsr4vqptBaKvOkvcQD3slDDQTX-aNYcSvmOasUfoGffK_6vKlFoMsPPUqEipuhmLNi2QWJVbE6m8AJnJ4iy-o$
> > -- To unsubscribe from this list go to the following URL and read
> > the instructions:
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!lo6t2FU4rSVbx2EJHksvI0d0NI3v7m2t_c_myN5XkBGzOIroLx6R7O5jCySgfOWFcKhu9XFLf-aO79a1EGpxMA0lshiQXklW$

--
To unsubscribe from this list go to the following URL and read the
instructions: 
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!lo6t2FU4rSVbx2EJHksvI0d0NI3v7m2t_c_myN5XkBGzOIroLx6R7O5jCySgfOWFcKhu9XFLf-aO79a1EGpxMA0lshiQXklW$

samba - Sep 2025 - Regarding User/Group ACLs

[Samba] Regarding User/Group ACLs

[Samba] Regarding User/Group ACLs

[Samba] Regarding User/Group ACLs