Trouble managing ACLs from Windows

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Trouble managing ACLs from Windows

Samba - General mailing list
Hello list,

following the guidance from here
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
I have set up a file server which is member of a Samba 4.6.9 AD domain.

I have created ACLs using a Windows client with a domain admin account.
While I have no issues with some folders, the server denies access to
others to users that should have access by means of group membership.

I tried to simulate this using the "Effective access" tab in the
security settings per folder using the admin account where it shows that
access should be granted to the respective user. However, I noted that
sometimes the group SIDs are not properly resolved to the names.

The file server itself is using sssd instead of winbind. Administrator
is mapped to root using the mapping file, the filesystem underneath the
share is BTRFS.

Any suggestion where I could dig deeper?

The respective section from smb.conf:

[global]
        realm = SAMBA.MYDOMAIN.COM
        security = ADS
        kerberos method = secrets and keytab
        server role = member server
        server services = s3fs
        disable netbios = yes
        smb ports = 445
        idmap_ldb:use rfc2307 = yes
        browseable=yes
        username map = /etc/samba/file.map
        vfs objects = streams_xattr acl_xattr
        map acl inherit = yes
        store dos attributes = yes

[ShareName]
        comment = Description
        path = /mnt/data/sharedir
        read only = No
        vfs objects = acl_xattr recycle snapper btrfs
        recycle:keeptree = yes
        recycle:maxsize = 536870912

Thanks a lot!

Best regards
Johannes


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Trouble managing ACLs from Windows

Samba - General mailing list
On Wed, 8 Nov 2017 12:59:28 +0100
Johannes Engel via samba <[hidden email]> wrote:

> Hello list,
>
> following the guidance from here
> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
> I have set up a file server which is member of a Samba 4.6.9 AD
> domain.
>
> I have created ACLs using a Windows client with a domain admin
> account. While I have no issues with some folders, the server denies
> access to others to users that should have access by means of group
> membership.
>
> I tried to simulate this using the "Effective access" tab in the
> security settings per folder using the admin account where it shows
> that access should be granted to the respective user. However, I
> noted that sometimes the group SIDs are not properly resolved to the
> names.
>
> The file server itself is using sssd instead of winbind. Administrator
> is mapped to root using the mapping file, the filesystem underneath
> the share is BTRFS.
>
> Any suggestion where I could dig deeper?
>
> The respective section from smb.conf:
>
> [global]
>         realm = SAMBA.MYDOMAIN.COM
>         security = ADS
>         kerberos method = secrets and keytab
>         server role = member server
>         server services = s3fs
>         disable netbios = yes
>         smb ports = 445
>         idmap_ldb:use rfc2307 = yes
>         browseable=yes
>         username map = /etc/samba/file.map
>         vfs objects = streams_xattr acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
> [ShareName]
>         comment = Description
>         path = /mnt/data/sharedir
>         read only = No
>         vfs objects = acl_xattr recycle snapper btrfs
>         recycle:keeptree = yes
>         recycle:maxsize = 536870912
>
> Thanks a lot!
>
> Best regards
> Johannes
>

'server services = s3fs' & 'idmap_ldb:use rfc2307 = yes' only make
sense on a DC.

As for your problem, it very probably isn't a Samba problem, I say this
because you are using sssd for authentication and sssd has nothing to
do with Samba.
You should get better help on the sssd-users mailing list.
Failing that, purge sssd and set up windbind, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Trouble managing ACLs from Windows

Samba - General mailing list
Hi Rowland,
thanks a lot for your hint. After replacing sssd with winbind it seems
to work also with Windows ACLs.

Best regards
Johannes

Am 08.11.2017 um 13:20 schrieb Rowland Penny:

> On Wed, 8 Nov 2017 12:59:28 +0100
> Johannes Engel via samba <[hidden email]> wrote:
>
>> Hello list,
>>
>> following the guidance from here
>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
>> I have set up a file server which is member of a Samba 4.6.9 AD
>> domain.
>>
>> I have created ACLs using a Windows client with a domain admin
>> account. While I have no issues with some folders, the server denies
>> access to others to users that should have access by means of group
>> membership.
>>
>> I tried to simulate this using the "Effective access" tab in the
>> security settings per folder using the admin account where it shows
>> that access should be granted to the respective user. However, I
>> noted that sometimes the group SIDs are not properly resolved to the
>> names.
>>
>> The file server itself is using sssd instead of winbind. Administrator
>> is mapped to root using the mapping file, the filesystem underneath
>> the share is BTRFS.
>>
>> Any suggestion where I could dig deeper?
>>
>> The respective section from smb.conf:
>>
>> [global]
>>         realm = SAMBA.MYDOMAIN.COM
>>         security = ADS
>>         kerberos method = secrets and keytab
>>         server role = member server
>>         server services = s3fs
>>         disable netbios = yes
>>         smb ports = 445
>>         idmap_ldb:use rfc2307 = yes
>>         browseable=yes
>>         username map = /etc/samba/file.map
>>         vfs objects = streams_xattr acl_xattr
>>         map acl inherit = yes
>>         store dos attributes = yes
>>
>> [ShareName]
>>         comment = Description
>>         path = /mnt/data/sharedir
>>         read only = No
>>         vfs objects = acl_xattr recycle snapper btrfs
>>         recycle:keeptree = yes
>>         recycle:maxsize = 536870912
>>
>> Thanks a lot!
>>
>> Best regards
>> Johannes
>>
> 'server services = s3fs' & 'idmap_ldb:use rfc2307 = yes' only make
> sense on a DC.
>
> As for your problem, it very probably isn't a Samba problem, I say this
> because you are using sssd for authentication and sssd has nothing to
> do with Samba.
> You should get better help on the sssd-users mailing list.
> Failing that, purge sssd and set up windbind, see here:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

signature.asc (484 bytes) Download Attachment