Web lists-archives.com

[Samba] Problems getting POSIX ACL working on upgraded samba file server Ubuntu 16.04 LTS to 18.04 LTS

Running a Samba 4 AD DC on Ubuntu 18.04, and fileservers on 18.04.  Our access control needs are rather simple and worked well under the samba 3 series with LDAP users and groups so we plan to keep using the POSIX ACL (regular filesystem access controls)

On a fresh install file server(18.04) samba 4 with POSIX ACLs work with no issue, but I can't get the permissions to work properly on the upgraded server (samba 4 Ubuntu 16.04 - upgraded to samba 4 Ubuntu 18.04) .
We are using winbind nss info = rfc2307 and have configured UID and GID for the accounts that will have access.  Granted when recreating the accounts on the new samba 4 DC (small network of 25 users was easier to recreate accounts rather than migrate from samba3) we set the GID and UID the same as they had in the LDAP prior so that we didn't have to remap UID and gids for share files and folders.

I have a share where the user and group *should* be able to read and write to folders via shell and windows file explorer.  But they can't.  It seems that the owner aspects of the ACL work properly, but the group aspects don't.  They don't work via shell or windows file explorer.  All shares on this upgraded server exhibit the same problem.  The ACLs were never tested when the server was running version 16.04 that I remember.

The same configuration on a fresh Ubuntu 18 file server install works great both in shell and windows file explorer.
Both these command return same values on both servers.
getent passwd DOMAIN\\username
getent group DOMAIN\\usernamegrp

dpkg -l |grep samba
# shows the same version on both servers
ii  python-samba
ii  samba
ii  samba-common
ii  samba-common-bin
ii  samba-dsdb-modules
ii  samba-libs:amd64
ii  samba-vfs-modules

dpkg -l |grep winbind
# shows the same version on both servers
ii  libnss-winbind:amd64
ii  libpam-winbind:amd64
ii  libwbclient0:amd64
ii  winbind

smb.conf is the same on both servers also.

Any advice?
Winbind cache ?


Derek Werthmuller
Director of Technology Innovation and Services
CTG UAlbany

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba