Re: [Samba] CTDB / Samba / GFS2 - Performance - with Picture Link
On Thu, Nov 29, 2012 at 09:16:34PM +, Vogel, Sven wrote: > Hi Volker, > > you wrote that ist not so good to set locking = no, why ist hat so? SMB semantics require mandatory locking. If a lock is set, read/write on that region will fail. Applications do depend on this. With locking=no you don't do that. > i thought > > ctdb (locking)--> dlm_controld (locking) or gfs_controld (locking) > > so when i disable locking in samba i dont know how will > this presented to the cluster file system? I thought the > cluster file system will use the locks like this below. > > Ctdb(locking=no) --> gfs2 (locking) The mapping to GFS is completely controlled by "posix locking". ctdb has no business in that, it is only responsible for Samba-internal databases. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User is invalid on this system
Am Thu, 29 Nov 2012 15:51:55 -0900 schrieb Kevin Elliott: > Hello all. > > We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade > from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the > ability to map Samba shares from our Windows XP SP3 and Windows 7 > clients: > > > Here's an example from my workstation (logging verbosity set at 10): > ... > auth/user_krb5.c:162(get_user_from_kerberos_info) > Username CBJ_NT+kevin_elliott is invalid on this system ... > > > However, I can successfully return login information with winbind: > > # wbinfo -i kevin_elliott > kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false > > 'getent passwd' will only return the local users from /etc/passwd. > > > Any ideas? Anyone else see this? maybe the "winbind" in /etc/nsswitch.conf got lost? is "getent -s winbind passwd $username" returning something? is winbindd running ("ps -C winbindd -f")? any log messages in /var/log/samba/log.winbindd ? - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 not list ldap
Am Fri, 30 Nov 2012 01:07:37 -0200 schrieb Clodonil Trigo: > Hi, > > I have a problem. After several tests with Samba4, put into production. > With one week working began to fill the files with HD / > usr/local/samba4/var/cores/smb. I went into that directory and deleted > some files to free up space. > > More Samba4 now no longer starts the ldap. When I start giving the > error: > > [root @ new-lost sbin] #. / samba-i-M single-d 1 Samba version > 4.1.0pre1-GIT-05a5974 started. > Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using > 'single' process model Started with smbd server config file / > usr/local/samba4-migracao/private/smbd.tmp/fileserver.conf Failed to > listen on 0.0.0.0:636 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED ldapsrv > failed to bind to 0.0.0.0:636 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED > task_server_terminate: [Failed to startup ldap server task] > / usr/local/samba4-migracao/sbin/smbd: smbd version > 4.1.0pre1-GIT-05a5974 started. > / usr/local/samba4-migracao/sbin/smbd: Copyright Andrew Tridgell and the > Samba Team 1992-2012 / usr/local/samba4-migracao/sbin/smbd: standard > input is not a socket, assuming-D option > ../source4/dsdb/dns/dns_update.c: 294: Failed DNS update - > NT_STATUS_UNSUCCESSFUL > > Any idea? I would check with "netstat -nalp | grep 636" which process occupies the port 636. - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Branches
On 11/29/2012 11:23 AM, fe...@epepm.cupet.cu wrote: Hello list: which git branch contains the latest changes of samba4 as AD DC? Regards, Felix. the master branch -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 not list ldap
Hi, I have a problem. After several tests with Samba4, put into production. With one week working began to fill the files with HD / usr/local/samba4/var/cores/smb. I went into that directory and deleted some files to free up space. More Samba4 now no longer starts the ldap. When I start giving the error: [root @ new-lost sbin] #. / samba-i-M single-d 1 Samba version 4.1.0pre1-GIT-05a5974 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using 'single' process model Started with smbd server config file / usr/local/samba4-migracao/private/smbd.tmp/fileserver.conf Failed to listen on 0.0.0.0:636 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED ldapsrv failed to bind to 0.0.0.0:636 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED task_server_terminate: [Failed to startup ldap server task] / usr/local/samba4-migracao/sbin/smbd: smbd version 4.1.0pre1-GIT-05a5974 started. / usr/local/samba4-migracao/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2012 / usr/local/samba4-migracao/sbin/smbd: standard input is not a socket, assuming-D option ../source4/dsdb/dns/dns_update.c: 294: Failed DNS update - NT_STATUS_UNSUCCESSFUL Any idea? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] User is invalid on this system
Hello all. We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients: Here's an example from my workstation (logging verbosity set at 10): [2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 2517) conn 0x0 [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 1680 [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: kevin_elliott [Kevin Elliott] [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL] [2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info) Username CBJ_NT+kevin_elliott is invalid on this system [2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET. [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) However, I can successfully return login information with winbind: # wbinfo -i kevin_elliott kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false 'getent passwd' will only return the local users from /etc/passwd. And the relevant section of smb.conf: [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 192.0.2.87/32, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes password server = 192.0.2.25, 192.0.2.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 192.0.2.25 ldap ssl = no panic action = /usr/share/samba/panic-action %d winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config LIBRARY:range = 65535-7 idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:backend = rid idmap config * : range = 1-65533 idmap config * : base_rid = 0 idmap config * : backend = rid admin users = @CBJ_NT+admin veto files = /.*/ [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = "@CBJ_NT+domain users" read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Any ideas? Anyone else see this? --- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 AD DNS zone corrupted
On 11/29/2012 03:26 AM, Stephen Jones wrote: > If you want to delete the TXT record my suggestion would be to use > nsupdate. This tool is part of BIND. My advice would be to avoid > samba-tool, or at least the dns part of it. When I tried to use it I > just got errors. I think it's still rather experimental. But > nsupdate works. Thanks for the hint. It raised my hopes for a few seconds, but it doesn't work, as the record I want to remove seems really really broken. As suggested, I ran this command (while being kerberos-authenticated): # nsupdate -g > update delete _kerberos.mitxp.com TXT > send This is what bind logs when issuing the command: Nov 29 23:23:36 vmsrvr1 named[1701]: samba_dlz: starting transaction on zone mydomain.local Nov 29 23:23:36 vmsrvr1 named[1701]: samba_dlz: allowing update of signer=administrator\@MYDOMAIN.LOCAL name=_kerberos.mydomain.local tcpaddr=192.168.122.1 type=TXT key=3710301881.sig-sambapdc.mydomain.local/160/0 Nov 29 23:23:36 vmsrvr1 named[1701]: client 192.168.122.1#53087: updating zone 'mydomain.local/NONE': deleting rrset at '_kerberos.mydomain.local' TXT Nov 29 23:23:36 vmsrvr1 named[1701]: samba_dlz: failed to parse dnsRecord for DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local Nov 29 23:23:36 vmsrvr1 named[1701]: samba_dlz: committed transaction on zone mydomain.local As you can see, it has problems deleting the DNS record because it cannot parse it. Extremely annoying. Even though the last log message says "committed transaction on zone", the DNS record is still there and is still causing problems with the complete zone. But I found the solution! I just wanted to write it down in case someone else has the same problem: You need to delete the record directly from the LDB-File. This is how it's done: ldbdel -H /var/lib/samba/private/dns/sam.ldb "DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local" After that, I restarted samba, just to be on the safe side. And after that, my DNS zone was OK. Thanks to everyone who helped me debugging this. PS: Just in case a samba developer is interested in the LDB record, here's the result presented by ldbsearch before I deleted it: # ldbsearch -H /var/lib/samba/private/dns/sam.ldb -b "DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local" "(objectclass=dnsNode)" --show-binary # record 1 dn: DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20121119125920.0Z whenChanged: 20121119125920.0Z uSNCreated: 4082 uSNChanged: 4082 showInAdvancedViewOnly: TRUE name: _kerberos objectGUID: 0bbee647-94ac-4a9c-8c2a-90deca29cdfe ndr_pull_error(11): Pull bytes 15 (../librpc/ndr/ndr_basic.c:420) dnsRecord: objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=local dc: _kerberos distinguishedName: DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local Note: the 15 "pull bytes" are probably MYDOMAIN.LOCAL + a terminating character. At least that was what I assume because I created the TXT record with "MYDOMAIN.LOCAL" as content. -- Best regards, -Johannes. -- Best regards, -Johannes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CTDB / Samba / GFS2 - Performance - with Picture Link
Hi Volker, you wrote that ist not so good to set locking = no, why ist hat so? i thought ctdb (locking)--> dlm_controld (locking) or gfs_controld (locking) so when i disable locking in samba i dont know how will this presented to the cluster file system? I thought the cluster file system will use the locks like this below. Ctdb(locking=no) --> gfs2 (locking) Sven -Ursprüngliche Nachricht- Von: Volker Lendecke [mailto:volker.lende...@sernet.de] Gesendet: Mittwoch, 28. November 2012 12:15 An: Vogel, Sven Cc: samba@lists.samba.org Betreff: Re: [Samba] CTDB / Samba / GFS2 - Performance - with Picture Link On Wed, Nov 28, 2012 at 11:11:16AM +, Vogel, Sven wrote: > Hi Volker, > > so i looked fort he brlock.tdb file and its local on each node. I > added "posix locking = no" and "locking = no". I think it will run now > better. I again a strace file to the server. What do you think? I would not run with locking=no. It will certainly be faster, but it might cause data corruption. > http://dev.kupper-computer.com/intern/smbd_no_locking.txt > > I also added > > fileid:algorithm = fsname > vfs objects = fileid > > for gfs2 whats better fsid or fileid? Dunno, I never used GFS2, sorry. RedHat ships a cluster product with GFS2 and Samba, maybe they have a recommendation. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Branches
Hello list: which git branch contains the latest changes of samba4 as AD DC? Regards, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hello again, I do not know what On Tue, Nov 27, 2012 at 9:08 PM, Harry Jede wrote: > On 20:15:56 wrote Andrej Šimko: > > net getdomainsid > > SID for local machine HOST is: > > S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: > > S-1-5-21-2390795950-2727105968-4008069955 > > > > I compared my smb.conf with yours. I have "ldap suffix" before > > "ldap group suffix". > > > > I switched that but result still the same. > > > > ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null > > dn: cn=admin,dc=example,dc=sk > > > > tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) > > > > ldapsearch -LLLY external -H ldapi:/// > > "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid > > =users)))" 2>/dev/null > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk > > objectClass: sambaSidEntry > > objectClass: sambaGroupMapping > > sambaSID: S-1-5-32-545 > > sambaGroupType: 4 > > displayName: Users > > gidNumber: 1 > > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 > > Sorry, that I haven't seen this in your mail at 09:07 > > This is a working group object: > > # ldapsearch -LLLY external -H ldapi:/// > "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) > (uid=users)))" 2>/dev/null > dn: cn=users,ou=groups,dc=europa,dc=xx > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 545 > cn: users > description: Netbios Domain Users > sambaSID: S-1-5-32-545 > sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 > sambaGroupType: 4 > displayName: Users > > > The main difference ist the objectclass posixGroup instead of > sambaSidEntry. > Samba Group Mapping is not a simple task. Your definition with > objectclass=sambasidentry is not totally wrong, but the intended use is > that you store your posixgroups in /etc/group or in NIS. > With an LDAP backend that is not the best approach. > > I dont understand what are you trying to say :( Do you think that if I have all necessary groups in /etc/group or in NIS, than the windows computer will find grups in domain? I still dont understand why ldap search filter generated by samba ( i have this from samba log ) cannot find anything in database: smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter => [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope => [2], pagesize => [1024] [2012/11/29 18:15:14.227560, 3] lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged: search was successful [2012/11/29 18:15:14.227647, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 0 If I remove sambaSID and try to find it in ldap, I will get all my groups. Filter = (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*)) Is this normal behavior or my ldap configuration can be incorrect? > Here the three standard definitions with objectclass=posixgroup > > ### > A primary group: posix and windows primary > members should NOT stored here > > dn: cn=teachers,ou=groups,dc=europa,dc=xx > cn: teachers > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 1001 > sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003 > sambaGroupType: 2 > displayName: teachers > > # getent group teachers > teachers:*:1001: > > # net rpc group members teachers > # > > > > ### > A regular group in posix, a global group in windows > members are stored in memberUid > > dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 512 > cn: DomainAdmins > memberUid: Administrator > memberUid: root > description: Netbios Domain Administrators > sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512 > sambaGroupType: 2 > displayName: Domain Admins > > # getent group domainadmins > DomainAdmins:*:512:Administrator,root > > > # Asking for the Windows name, which is stored in "displayName" > # net rpc group members "domain admins" > EUROPA\Administrator > EUROPA\root > > # Asking for the posix name, which is stored in "cn" > # net rpc group members domainadmins > EUROPA\Administrator > EUROPA\root > > > ### > A windows/samba builtin group > no posix members > Windows members must be stored in sambaSIDList. These type of groups > will be used in Windows OS (client and/or server) > > # ldapsearch -LLLY external -H ldapi:/// > "(&(objectclass=sambaGroupMapping)(cn=administrators))" 2>/dev/null > dn: cn=Administrators,ou=groups,dc=europa,dc=xx > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 544 > cn: Administrators > description: Netbios Domain Members can fully administer the computer > sambaSID: S-1-5-32-544 > sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 > sambaGroupType: 4 > displayName: Administrators > > > # getent group administrators > Administrators:*:544: > > # net rpc g
[Samba] So no conversion from group_mapping.ldb to group_mapping.tdb?
Greetings, I recently upgraded an AD member server from Samba 3.5.15 to Samba 3.6.9 and found that I had lost all the existing local group mappings. I see that the group mapping file has gone from group_mapping.ldb to group_mapping.tdb. I asked on this list as well as searching the web, Samba documentation (which still seems focused on version 3.5), and Samba Wiki and found nothing on a method to convert/migrate information stores in the group_mapping.ldb file to the new group_mapping.tdb - is that correct? Because of the way Active Directory is managed at out site I store dozens of local groups and their memberships in that file. I found NOTHING in the Samba 3.6.x release notes warning me of the change to the group_mapping file. Just wanted to confirm that there is no conversion utility that I missed and that I am on my own to migrate that information. Thank you Bob Martel -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Roaming Profiles not working
Hi all, I need help to set roaming profiles in my network environment. I follow the samba wiki steps from here: https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles#Implementing_Roaming_Profiles_with_Samba The user's creation is made by Gosa software, and the settings are the same in smb.conf. If i comment all the options related with profiles in smb.conf, the home folder is mapped and the profile is locally created. My samba version is 3.6.6, using ldap backend...and the clients machines are XP and 7 My testparm command, results in: [global] workgroup = VMLDAP server string = LDAP-SERVER map to guest = Bad User passdb backend = ldapsam:"ldap://127.0.0.1"; syslog = 0 log file = /var/log/samba/log.%m debug pid = Yes debug uid = Yes deadtime = 10 ... ..some ldap specs .. logon path = \\%L\profiles\%U\%a logon drive = X: domain logons = Yes os level = 64 domain master = Yes utmp = Yes idmap config * : backend = tdb admin users = root [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] comment = Network Profiles Share path = /export/home/comput/profiles read only = No create mask = 0600 directory mask = 0700 profile acls = Yes browseable = No csc policy = disable [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No -- *Thiago Luiz Parolin* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getfacl returning strange active directory group name SLES11
Hi SAMBA Gurus, this question does not realy match SAMBA, but its somehow related and i was not able to find some sattisfying answer yet anywhere else. So im hopeing for some expert here who may knows this. I described my case in a SLES Forum at: https://forums.suse.com/showthread.php?2046-getfacl-returning-strange-active-directory-group-name-SLES11 Given: SLES 11 SP1 with SAMBA/Winbind joined to Active Directory "AD" using AD Role Groups in ACLs on ext3 Filesystem Im playing around with Linux Filesystem ACLs on a ext3 FS but using Active Directory (AD-)Users and AD-Groups for access controll to files and folders, thanks to winbind this is. While i have to use "setfacl" just the way its been described in the man page using properly formed "AD\adgroupname" and "AD\adusername" syntax, the "getfacl" however returns ALWAYS something strange i was not able to find something matching on the internet nor the man page nor the suse manuals. See this output : ~ hostname:/tmp # getfacl -p /data1/testing-acls/ # file: /data1/testing-acls/ # owner: root # group: root user::rwx user:someLocalLinuxUserName:rwx user:AD\134someAdUserName:rwx group::rwx group:AD\134rol-grp-access-control-rw:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:AD\134rol-grp-access-control-rw:rwx default:mask::rwx default:other::--- hostname:/tmp # ~ As you can see, local Linux-Users and Groups (not shown here but been tested) will be shown correctly and as expected. AD Users and AD Groups however contain some strange "number" after the Domain Prefix and the before the AD-Group- or AD-Username. Anyone here KNOWS what this is and why its there? i compared this to some ancient debian 5 installation that we had laying around. NOT joined to an AD but also runs some old SAMBA as a primary domain controller. There it seems its pretty much the same. Whenever some "windows user" or "windows group" has been written to the filesystem ACL the getfacl reports that strange number in between. THANKS in advance for any competent Answer/Pointing! greets Axel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba