Problem mapping extended acls with sssd and samba

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem mapping extended acls with sssd and samba

Samba - General mailing list
Hello.

I have a file server with samba and sssd. Is working perfectly.

The problem is when I define extended ACLs using windows explorer. Acls are
not applied in the file system to the groups and users of the domain.

But when I work with winbind I can apply the extended acls in the file
system.


Follow the contents of the sssd.conf and smb.conf file

[global]
WORKGROUP = DOMAINE
Realm = DOMAINA.COM
Netbios name = FILESERVER
Dedicated keytab file = /etc/krb5.keytab
Kerberos method = dedicated keytab
Security = ads
Log level = 3
Log file = /var/log/samba/log.all
Max log size = 4000
Domain master = no
Local master = no
# Enable Extended ACLs #
Map acl inherit = yes
Store dos attributes = yes
Vfs objects = acl_xattr
[rh]
Path = / mnt / samba / rh
; Valid users = [hidden email] [hidden email]
Write list = @ "[hidden email]" @ "[hidden email]" @
"[hidden email]"

[Sssd]
Domains = domaina.com
Config_file_version = 2
Services = nss, pam

[Domain / domaina.com]
Ad_domain = domaina.com
Krb5_realm = COORP.GNULINUX
Realmd_tags = manages-system joined-with-samba
Cache_credentials = True
Id_provider = ad
Krb5_store_password_if_offline = True
Default_shell = / bin / bash
Ldap_id_mapping = True
Use_fully_qualified_names = True
Fallback_homedir = / home /% u @% d
Access_provider = ad

Why does it happen ?
Can someone please help me?

--
Att,

Edson Oliveira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem mapping extended acls with sssd and samba

Samba - General mailing list
On Sun, 19 Mar 2017 17:09:32 -0300
edson via samba <[hidden email]> wrote:

> Hello.
>
> I have a file server with samba and sssd. Is working perfectly.

Is it ?

>
> The problem is when I define extended ACLs using windows explorer.
> Acls are not applied in the file system to the groups and users of
> the domain.

There you go, it obviously isn't ;-)

>
> But when I work with winbind I can apply the extended acls in the file
> system.
>

Then the obvious fix for your problem is to use the Samba supported
winbind instead of, the unsupported by Samba, sssd

sssd has nothing to do with Samba, so if you want to continue using
sssd, I would suggest you contact the sssd-users mailing list.

You should also note, if you are going to set the ACLs from windows,
you should not use the 'write list' option.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem mapping extended acls with sssd and samba

Samba - General mailing list
Thanks for the answer.

But even removing the write list parameter, the problem persists.

Excuse me. But the sssd service is working perfectly, and I see no reason
to ask for help on the sssd user list.

One important information is that when I apply the ACLs using the setfacl
command the mapping is done and the permissions are applied.

But when I use windows explorer the ACLs permissions are not applied.

If anyone knows why this is happening, and be able to help me.

I thank you.

2017-03-19 17:39 GMT-03:00 Rowland Penny <[hidden email]>:

> On Sun, 19 Mar 2017 17:09:32 -0300
> edson via samba <[hidden email]> wrote:
>
> > Hello.
> >
> > I have a file server with samba and sssd. Is working perfectly.
>
> Is it ?
>
> >
> > The problem is when I define extended ACLs using windows explorer.
> > Acls are not applied in the file system to the groups and users of
> > the domain.
>
> There you go, it obviously isn't ;-)
>
> >
> > But when I work with winbind I can apply the extended acls in the file
> > system.
> >
>
> Then the obvious fix for your problem is to use the Samba supported
> winbind instead of, the unsupported by Samba, sssd
>
> sssd has nothing to do with Samba, so if you want to continue using
> sssd, I would suggest you contact the sssd-users mailing list.
>
> You should also note, if you are going to set the ACLs from windows,
> you should not use the 'write list' option.
>
> Rowland
>
>


--
Att,

Edson de Abreu Oliveira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem mapping extended acls with sssd and samba

Samba - General mailing list
On Sun, 19 Mar 2017 18:03:34 -0300
edson <[hidden email]> wrote:

> Thanks for the answer.
>
> But even removing the write list parameter, the problem persists.
>
> Excuse me. But the sssd service is working perfectly, and I see no
> reason to ask for help on the sssd user list.

Are you 100% sure this has nothing to do sssd ?

>
> One important information is that when I apply the ACLs using the
> setfacl command the mapping is done and the permissions are applied.
>
> But when I use windows explorer the ACLs permissions are not applied.

This could still be down to sssd, but have you looked here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

If, after following that, it still doesn't work, then try the sssd
list, this may be something they have come across before.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem mapping extended acls with sssd and samba

Samba - General mailing list
First of all, thank you.

Yes. I'm sure sssd is running 100%.

The documentation of the link that passed me served as a basis to implement.

I'll follow your advice and I'll ask you on the sssd user list.

Even so, I hope someone else who went through the same score answers here.

Thank you all.

2017-03-19 18:16 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Sun, 19 Mar 2017 18:03:34 -0300
> edson <[hidden email]> wrote:
>
> > Thanks for the answer.
> >
> > But even removing the write list parameter, the problem persists.
> >
> > Excuse me. But the sssd service is working perfectly, and I see no
> > reason to ask for help on the sssd user list.
>
> Are you 100% sure this has nothing to do sssd ?
>
> >
> > One important information is that when I apply the ACLs using the
> > setfacl command the mapping is done and the permissions are applied.
> >
> > But when I use windows explorer the ACLs permissions are not applied.
>
> This could still be down to sssd, but have you looked here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If, after following that, it still doesn't work, then try the sssd
> list, this may be something they have come across before.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Att,

Edson de Abreu Oliveira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem mapping extended acls with sssd and samba

Samba - General mailing list
Hello.

I was able to solve the problem. The system was using the libwbclient
library of the samba package. I just did the following:

Yum install sssd-libwbclient

Set this new library installed with default on the system:

Alternatives --set libwbclient.so.0.12-64
/usr/lib64/sssd/modules/libwbclient.so.0.12.0

And restart the smbd and sssd daemons:

Systemctl restart sssd smbd

Now I can set the permissions of ACLs extended by windows explorer and the
mapping is applied.

Thank you.

2017-03-19 18:36 GMT-03:00 edson <[hidden email]>:

> First of all, thank you.
>
> Yes. I'm sure sssd is running 100%.
>
> The documentation of the link that passed me served as a basis to
> implement.
>
> I'll follow your advice and I'll ask you on the sssd user list.
>
> Even so, I hope someone else who went through the same score answers here.
>
> Thank you all.
>
> 2017-03-19 18:16 GMT-03:00 Rowland Penny via samba <[hidden email]>
> :
>
>> On Sun, 19 Mar 2017 18:03:34 -0300
>> edson <[hidden email]> wrote:
>>
>> > Thanks for the answer.
>> >
>> > But even removing the write list parameter, the problem persists.
>> >
>> > Excuse me. But the sssd service is working perfectly, and I see no
>> > reason to ask for help on the sssd user list.
>>
>> Are you 100% sure this has nothing to do sssd ?
>>
>> >
>> > One important information is that when I apply the ACLs using the
>> > setfacl command the mapping is done and the permissions are applied.
>> >
>> > But when I use windows explorer the ACLs permissions are not applied.
>>
>> This could still be down to sssd, but have you looked here:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> If, after following that, it still doesn't work, then try the sssd
>> list, this may be something they have come across before.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> Att,
>
> Edson de Abreu Oliveira
>



--
Att,

Edson de Abreu Oliveira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem mapping extended acls with sssd and samba

Samba - General mailing list
On Mon, 20 Mar 2017 23:05:46 -0300
edson <[hidden email]> wrote:

> Hello.
>
> I was able to solve the problem. The system was using the libwbclient
> library of the samba package. I just did the following:
>
> Yum install sssd-libwbclient
>

So it wasn't a Samba problem and sssd wasn't working correctly even
though you were 100% sure it was ;-)

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem mapping extended acls with sssd and samba

Samba - General mailing list
No. Samba and sssd were running 100%. The problem was the lack of a library
to make the communication between samba and sssd work at 100%.

Thank you.

2017-03-21 6:24 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Mon, 20 Mar 2017 23:05:46 -0300
> edson <[hidden email]> wrote:
>
> > Hello.
> >
> > I was able to solve the problem. The system was using the libwbclient
> > library of the samba package. I just did the following:
> >
> > Yum install sssd-libwbclient
> >
>
> So it wasn't a Samba problem and sssd wasn't working correctly even
> though you were 100% sure it was ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Att,

Edson de Abreu Oliveira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem mapping extended acls with sssd and samba

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, Mar 21, 2017 at 09:24:43AM +0000, Rowland Penny via samba wrote:

> On Mon, 20 Mar 2017 23:05:46 -0300
> edson <[hidden email]> wrote:
>
> > Hello.
> >
> > I was able to solve the problem. The system was using the libwbclient
> > library of the samba package. I just did the following:
> >
> > Yum install sssd-libwbclient
> >
>
> So it wasn't a Samba problem and sssd wasn't working correctly even
> though you were 100% sure it was ;-)

:-). +1 to Rowland here I think :-).

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba