Re: [Samba] Trouble managing ACLs from Windows
- Date: Wed, 8 Nov 2017 12:20:11 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Trouble managing ACLs from Windows
On Wed, 8 Nov 2017 12:59:28 +0100
Johannes Engel via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Hello list,
> following the guidance from here
> I have set up a file server which is member of a Samba 4.6.9 AD
> I have created ACLs using a Windows client with a domain admin
> account. While I have no issues with some folders, the server denies
> access to others to users that should have access by means of group
> I tried to simulate this using the "Effective access" tab in the
> security settings per folder using the admin account where it shows
> that access should be granted to the respective user. However, I
> noted that sometimes the group SIDs are not properly resolved to the
> The file server itself is using sssd instead of winbind. Administrator
> is mapped to root using the mapping file, the filesystem underneath
> the share is BTRFS.
> Any suggestion where I could dig deeper?
> The respective section from smb.conf:
> realm = SAMBA.MYDOMAIN.COM
> security = ADS
> kerberos method = secrets and keytab
> server role = member server
> server services = s3fs
> disable netbios = yes
> smb ports = 445
> idmap_ldb:use rfc2307 = yes
> username map = /etc/samba/file.map
> vfs objects = streams_xattr acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> comment = Description
> path = /mnt/data/sharedir
> read only = No
> vfs objects = acl_xattr recycle snapper btrfs
> recycle:keeptree = yes
> recycle:maxsize = 536870912
> Thanks a lot!
> Best regards
'server services = s3fs' & 'idmap_ldb:use rfc2307 = yes' only make
sense on a DC.
As for your problem, it very probably isn't a Samba problem, I say this
because you are using sssd for authentication and sssd has nothing to
do with Samba.
You should get better help on the sssd-users mailing list.
Failing that, purge sssd and set up windbind, see here:
To unsubscribe from this list go to the following URL and read the