Thanks Luis and Rowland.
One more clarification, in case of standalone servers if read list and write
list are used then for a particular share, if a group, say group1, is added in
write list and one of the users, say user1, in group1 is added in the read list
then we are seeing that write list takes precedence. In other words, user1 can
write even though he is in read list. It seems like this is an expected
behaviour.
Please confirm.
Thanks & Regards,
Srikanth NS
From: samba <samba-bounces at lists.samba.org> on behalf of Luis Peromarta
via samba <samba at lists.samba.org>
Date: Tuesday, 16 September 2025 at 1:26?PM
To: Samba List <samba at lists.samba.org>
Subject: Re: [Samba] Regarding User/Group ACLs
In stand alone servers.
On 16 Sep 2025 at 08:32 +0100, ., Srikanth N S
<srikanth.nagasubbaraoseetharaman at hpe.com>,
wrote:> Thanks Luis.
>
> Just for my understanding, could you please in which use cases ?read lists?
and ?write lists? are used.
>
> Thanks & Regards,
> Srikanth NS
>
> From: samba <samba-bounces at lists.samba.org> on behalf of Luis
Peromarta via samba <samba at lists.samba.org>
> Date: Tuesday, 16 September 2025 at 11:22?AM
> To: Samba List <samba at lists.samba.org>
> Subject: Re: [Samba] Regarding User/Group ACLs
>
> You don?t use ?read lists? and ?write lists? in member servers in AD
environment.
>
> Please read the links I sent.
> On 16 Sep 2025 at 04:20 +0100, ., Srikanth N S via samba <samba at
lists.samba.org>, wrote:
> > Thanks Rowland, Luis. We will look at your suggestions.
> >
> > One more question on read list and write list.
> >
> > For a particular share, if a group, say group1, is added in write list
and one of the users, say user1, in group1 is added in the read list then we are
seeing that write list takes precedence. In other words, user1 can write even
though he is in read list. It seems like this is an expected behaviour. Please
confirm.
> >
> > Thanks & Regards,
> > Srikanth NS
> >
> > From: samba <samba-bounces at lists.samba.org> on behalf of
Rowland Penny via samba <samba at lists.samba.org>
> > Date: Monday, 15 September 2025 at 10:38?PM
> > To: samba at lists.samba.org <samba at lists.samba.org>
> > Cc: Rowland Penny <rpenny at samba.org>
> > Subject: Re: [Samba] Regarding User/Group ACLs
> >
> > On Mon, 15 Sep 2025 17:33:02 +0100
> > Luis Peromarta via samba <samba at lists.samba.org> wrote:
> >
> > > Hi.
> > >
> > > I think you need to do a lot of reading before. Shares in a
member
> > > server in an AD are not configured this way.
> >
> > Which is why I pointed at the correct documentation, but this appears
> > to be a member of a cluster and if it isn't, then the
'clustering' line
> > should be removed.
> >
> > >
> > > Also your RID ranges seem a bit too high, I don?t think you need
to
> > > specify the REALM there, I?d start from new with this config.
> >
> > High ? I would go as far as extremely high, you only really need
approx
> > 200 IDs for the default domain and 2,000,000,000 users for the
> > 'GATEWAY' domain, well that is more than some small countries
;-)
> >
> > I would also suggest adding 'vfs objects = acl_xattr' and
' map acl
> > inherit = Yes' to the smb.conf and then following the Samba wiki.
> >
> > Rowland
> >
> > >
> > > See this :
> > >
> > >
https://urldefense.com/v3/__http://samba.bigbird.es/doku.php?id=samba:file-server__;!!NpxR!lo6t2FU4rSVbx2EJHksvI0d0NI3v7m2t_c_myN5XkBGzOIroLx6R7O5jCySgfOWFcKhu9XFLf-aO79a1EGpxMA0lsl4l4vFu$
> > >
> > >
> > > And this:
> > >
> > >
https://urldefense.com/v3/__http://samba.bigbird.es/doku.php?id=samba:configuring-shares__;!!NpxR!lo6t2FU4rSVbx2EJHksvI0d0NI3v7m2t_c_myN5XkBGzOIroLx6R7O5jCySgfOWFcKhu9XFLf-aO79a1EGpxMA0lsjj18A5J$
> > >
> > > On 15 Sep 2025 at 17:22 +0100, ., Srikanth N S via samba
> > > <samba at lists.samba.org>, wrote:
> > > > > Hi Rowland,
> > > > >
> > > > > Please find below smb.conf. User ?Jess.Lacey? is in
read list but
> > > > > the group "@Human Resources? that this user
belongs to is present
> > > > > in write list. We are seeing that user ?Jess.Lacey? can
write even
> > > > > though it is mentioned in read list.
> > > > >
> > > > > [global]
> > > > > netbios name = KJLMO4
> > > > > workgroup = GATEWAY
> > > > > security = ads
> > > > > clustering = yes
> > > > > kerberos method = system keytab
> > > > > realm = GATEWAY.COM
> > > > > idmap config * : range = 10000-199999
> > > > > idmap config * : backend = tdb
> > > > > winbind use default domain = yes
> > > > > winbind refresh tickets = yes
> > > > > winbind cache time = 1
> > > > > smb3 share cap:continuous availability = yes
> > > > > smbd profiling level = on
> > > > > idmap config GATEWAY : range = 200000-2000200000
> > > > > idmap config GATEWAY : backend = rid
> > > > >
> > > > > [AI-Org]
> > > > > path = /run/lustre_client/mountpoint/Perplexity-AI
> > > > > read only = no
> > > > > read list = "Jess.Lacey"
> > > > > write list = "ashok.v","@Human
Resources"
> > > > >
> > > > > Thanks & Regards,
> > > > > Srikanth NS
> > > > >
> > > > > From: samba <samba-bounces at lists.samba.org> on
behalf of Rowland
> > > > > Penny via samba <samba at lists.samba.org> Date:
Monday, 15 September
> > > > > 2025 at 7:38?PM To: samba at lists.samba.org <samba
at lists.samba.org>
> > > > > Cc: Rowland Penny <rpenny at samba.org>
> > > > > Subject: Re: [Samba] Regarding User/Group ACLs
> > > > >
> > > > > On Mon, 15 Sep 2025 13:59:39 +0000
> > > > > "., Srikanth N S via samba" <samba at
lists.samba.org> wrote:
> > > > >
> > > > > > > Thanks Rowland I was able to check the URL
and read through the
> > > > > > > URL. But I am sorry I could not figure out
what wrong we are
> > > > > > > doing. Could you please help.
> > > > > > >
> > > > >
> > > > > Okay, please post the output of either 'samba-tool
testparm
> > > > > --suppress-prompt' if it is a Samba AD DC or
'testparm -s' if it is
> > > > > a Unix domain member (aka fileserver).
> > > > >
> > > > > Rowland
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL
and read the
> > > > > instructions:
> > > > >
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!maNHR5n4aKtmsr4vqptBaKvOkvcQD3slDDQTX-aNYcSvmOasUfoGffK_6vKlFoMsPPUqEipuhmLNi2QWJVbE6m8AJnJ4iy-o$
> > > > > -- To unsubscribe from this list go to the following
URL and read
> > > > > the instructions:
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!lo6t2FU4rSVbx2EJHksvI0d0NI3v7m2t_c_myN5XkBGzOIroLx6R7O5jCySgfOWFcKhu9XFLf-aO79a1EGpxMA0lshiQXklW$
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!lo6t2FU4rSVbx2EJHksvI0d0NI3v7m2t_c_myN5XkBGzOIroLx6R7O5jCySgfOWFcKhu9XFLf-aO79a1EGpxMA0lshiQXklW$
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!gvh1pVx3tJH8r6LvSLVhi8O57WokY3Fs7YAHBDD595KzQSBMIvUDmL8b0wc6DBRYCG6JdzO4O0z0tNpqkeHFeiaZdrgsQNBS$
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!gvh1pVx3tJH8r6LvSLVhi8O57WokY3Fs7YAHBDD595KzQSBMIvUDmL8b0wc6DBRYCG6JdzO4O0z0tNpqkeHFeiaZdrgsQNBS$
--
To unsubscribe from this list go to the following URL and read the
instructions:
https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!nraRWrpcYpJQ-T41IpURRibbx402_I01QDvQBOQbRPfXSvAo2FsMF_KPg8-1TEcP3Cz-3hA2ekAZalZYy1zlokrGsb5qU9Mv$