Web lists-archives.com

Re: [Samba] using AD groups in "username map"




On Tue, 20 Feb 2018 16:47:25 +0000
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:


> 
> Hmm, bit of a catch 22 situation here, to use members of 'Domain
> Admins' to set the ACLs on a share directory, the group for the share
> directory must be 'Domain Admins', but if you tell Samba to ignore the
> system acls, then 'Domain Admins' will not have permission on the
> share.
> 
> I have never used 'acl_xattr:ignore system acls = yes' myself, so I
> don't know of a workaround, I have ideas, so I will go and test them.
> 
> Watch this space ;-)
> 
> Rowland
>  
> 

OK, fired up a Win7 VM and tried to add users to a share.
First the good news, it doesn't matter if 'acl_xattr:ignore system acls
= yes' is set or not.

Now the bad news, it didn't work on a share that didn't have
'acl_xattr:ignore system acls = yes' at first. I traced this down to a
permissions problem.

I ran: ls -lad /home/testdata

Which returned this:

drwxrwx---+ 2 root unix admins 4096 Jan 26 14:27 /home/testdata

So, on the face of it, members of 'unix admins' should be able to write
to the share. NOTE: I use Unix Admins instead of Domain Admins

Well they couldn't ;-)

I traced this to:

getfacl /home/testdata

Which produced this:

getfacl: Removing leading '/' from absolute path names
# file: home/testdata
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
user:rowland:r-x
group::---
group:root:---
group:2004:r-x
group:2005:rwx
group:unix\040admins:---
........

According to getfacl 'unix admins' has NO permissions

To fix this, I ran:

setfacl -m g:'unix admins':rwx /home/testdata

Refreshed the computer in windows 'Computer Management' and I could
then manage the share from windows.
Added 'acl_xattr:ignore system acls = yes' to the share in smb.conf,
reloaded the Samba config and it still worked.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba