Re: [Samba] SMB 4.6 Member Server Improper ACLs being set
- Date: Wed, 27 Sep 2017 21:21:42 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] SMB 4.6 Member Server Improper ACLs being set
On Wed, 27 Sep 2017 14:48:44 -0500
Ryan Goode via samba <samba@xxxxxxxxxxxxxxx> wrote:
> I recently upgraded from centos release 7.3 to 7.4 and samba 4.6.2 and
> noticed that when files/folders are added or manipulated from a
> windows PC via the share, extra ACLs get applied and i cannot figure
> out why. Nothing has changed configuration wise and i have tried all
> variations i can think of of different map settings, downgraded
> several releases of samba (4.4.4 failed to load due to some
> dependency issues).
> I spun up a templated centos VM to test and found the same issue as my
> physical server.
> im sharing /vault and heres the permission set of the folder:
> [root@template vault]# getfacl .
> # file: .
> # owner: root
> # group: root
> if i map a share from a windows or linux machine back to this via
> samba and create a folder/file, it looks like this:
> [root@template vault]# getfacl test/
> # file: test/
> # owner: ryan.goode
> # group: domain\040users
This is strange, it looks like Domain Users is being treated as a user.
Why is there a group named after a user ?
And here is the user.
> The ACLs im refering to as being erroneous are:
> These correspond to groups in AD as seen here:
> [root@template vault]# getent group | grep 14608
> [root@template vault]# getent group | grep 10513
> domain users:x:10513:
Have you tried 'getent passwd | grep 10513' ?
> This wasnt happening when i originally setup these ACLs on my storage
> server and im trying to prevent this from happening further before it
> hoses my permission set.
> Im at a loss for what to do next and google has yielded no useful
> information that i can find.
> Any thoughts?
> - - - -
> # Generated by authconfig on 2017/04/14 06:41:51
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
> workgroup = AD
> realm = AD.ALLGOODE.US
> security = ads
> template shell = /bin/bash
> kerberos method = secrets only
> winbind use default domain = true
> winbind offline logon = true
> server string = Samba Server Version %v
> idmap config * : backend = tdb
> idmap config * : range = 5000 - 9999
> idmap config AD : backend = rid
> idmap config AD : range = 10000-20000
> #winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind cache time = 7200
> winbind nested groups = yes
> ea support = yes
What filesystem are you using ?
If it is ext4, you shouldn't use the above line.
Can you post:
To unsubscribe from this list go to the following URL and read the