Web lists-archives.com

[Samba] Windows ACL behaviour in standalone fileservers (LDAP vs TDB)


I'm building and managing standalone fileservers (security = user) with various passdb backends. I'm noticing different behaviour of Windows ACLs for servers with LDAP and TDB passdb backends.

In a LDAP backed server (which I started with) I can freely add filesystem permissions (eg for groups) to objects (files/folders) via the Windows (7) permissions editor.

In a TDB backed server I can only add permission to a folder for a group if the containing folder has (any) permissions for that group. Additionally I have to enter my credentials again in the permissions editor, which isn't needed on the LDAP backed server.

Configuration for both servers from a "result view" looks identical to me:
- "net groupmap list" is identical
- both use "security = user" and "acl_xattr"

I'm obviously not an expert for Windows ACLs, a workmate Windows Admin told me that the second behaviour is what he would expect, still I'm confused.

Samba is 4.8.3 on CentOS 7.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba