Hi All, I am in the process of trying to build a Samba server to replace our aging EMC Celerra file server appliance. The goal, ultimately, is to build a file server on which we can migrate a file share from the Celerra (ACL permissions and all) over to Samba, where the file share can be exported via NFS as well as Samba, AND the permissions we see in Linux are what we see in Windows (as well as the permissions we set in one environment being valid in the other). I am *very* close, but have made a perplexing discovery: I have noticed that if I use a Windows tool (Windows Explorer, Robocopy, etc) to set the permissions, the permissions don't seem to be getting honored. If I set the same ACL permissions from the Linux command line, everything works fine. It seems that the AD user is not mapping to the UNIX user as I would expect.
For this example, I'll describe a simple test. SETUP: Let's suppose I have a Samba server joined to our Active Directory domain, EXAMPLE01, and it's configured per the attached smb.conf. Winbind is enabled and used. The Samba box has knowledge of Linux users through NIS (I am only maintaining users, groups, and passwords in NIS; not machines, etc). I am able to see a given user's AD group memberships as well as NIS group memberships on the Samba box when issuing the 'groups' command. I am mapping NIS users to AD users with the file /etc/samba/smbusers, and using the 'net' command to map AD groups to NIS groups. Memberships in the AD and NIS groups are synchronized, so the same user exists in both. I am attempting to use idmap backend = rid to predictably generate UID/GID mappings by winbind across machines, for failover purposes. EXPERIMENT: we have a brand new machine configured as described above. The share we are working with is called 'osxtest'. The share begins with no ACLs: [r...@sambatest shares]# ls -l total 4 drwxr-xr-x 2 root root 4096 Apr 24 10:19 osxtest [r...@sambatest shares]# getfacl osxtest/ # file: osxtest # owner: root # group: root user::rwx group::r-x other::r-x As an domain administrator (admbky), I wish to create a directory called 'test' and set an acl allowing user 'testbky' rwx access to the 'test' directory. Here's the relevant info for 'testbky': [r...@sambatest shares]# ypcat passwd | grep testbky testbky:SOMESTRING:XXXX:XXXX:Test User:/home/testbky:/bin/bash [r...@sambatest shares]# ypcat group | grep testbky g1019:x:20077:testbky testbky:x:XXXX: g2015:x:20104:testbky domainusers:*:20011:testbky [r...@sambatest shares]# groups testbky testbky : testbky g1019 g2015 domainusers domain users g2015 g1019 everyone [r...@sambatest shares]# cat /etc/samba/smbusers | grep testbky testbky = EXAMPLE01\testbky And for admbky, I am correctly mapped to root: [r...@sambatest shares]# cat /etc/samba/smbusers | grep admbky root = administrator admin EXAMPLE01\admbky admbky = EXAMPLE01\admbky So, from Windows I create directory 'test' and set the ACL for 'testbky': [r...@sambatest osxtest]# pwd /shares/osxtest [r...@sambatest osxtest]# ls -l total 8 drwxrwxr-x+ 2 root root 4096 Apr 24 11:28 test [r...@sambatest osxtest]# getfacl test/ # file: test # owner: root # group: root user::rwx user:testbky:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:testbky:rwx default:group::--- default:mask::rwx default:other::--- So, testbky *should* be able to (from Windows AND Linux) manipulate data in the directory: [test...@sambatest test]$ whoami testbky [test...@sambatest test]$ pwd /shares/osxtest/test [test...@sambatest test]$ touch test.txt touch: cannot touch `test.txt': Permission denied The same thing happens in Windows. Now, I will create the same ACL from the Linux command line: [r...@sambatest osxtest]# whoami root [r...@sambatest osxtest]# pwd /shares/osxtest [r...@sambatest osxtest]# getfacl test/ # file: test # owner: root # group: root user::rwx user:testbky:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:testbky:rwx default:group::--- default:mask::rwx default:other::--- [r...@sambatest osxtest]# setfacl -m u:testbky:rwx test/ [r...@sambatest osxtest]# getfacl test/ # file: test # owner: root # group: root user::rwx user:testbky:rwx user:testbky:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:testbky:rwx default:group::--- default:mask::rwx default:other::--- WEIRD! Now, I seem to have two identical ACLs for testbky. Now everything works fine: [test...@sambatest test]$ whoami testbky [test...@sambatest test]$ pwd /shares/osxtest/test [test...@sambatest test]$ ls [test...@sambatest test]$ touch test.txt [test...@sambatest test]$ getfacl test.txt # file: test.txt # owner: testbky # group: testbky user::rw- user:testbky:rwx #effective:rw- group::--- mask::rw- other::--- If I create a file from Windows as testbky, I see: [test...@sambatest test]$ ls -l total 16 -rw-rwxr--+ 1 testbky testbky 12 Apr 24 12:32 testbky-from-windows.txt -rw-rw----+ 1 testbky testbky 12 Apr 24 12:32 test.txt [test...@sambatest test]$ getfacl testbky-from-windows.txt # file: testbky-from-windows.txt # owner: testbky # group: testbky user::rw- user:testbky:rwx group::rw- mask::rwx other::r-- I will note that in Windows Explorer, if I view security on the files, I can see both ACLs as well. One for the UNIX user testbky and one for the EXAMPLE01 domain user test...@example.org. So, that's the problem. Why are they being treated as different users? Is this normal/correct behavior? Have I missed some fundamental configuration that makes all this work as expected. I *expect* that if I set an ACL from Windows it should work *atleast* for the Windows user, from Windows, if not for both Windows and Linux users. I would really appreciate any insight into what I am misunderstanding, or might have missed in terms of configuration. Basically, where I am with this project is: as long as I manage ACLs from Linux, everything works great. New files inherit the UNIX permissions, and Windows users can interact with existing files where their UNIX permissions allow it. But, when I start manipulating the permissions from a Windows tool, things don't work right. Thanks in advance, Brandon
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
