ACL aren't applied in samba4 AD shares/subfolders/files

saitobenkei · October 25, 2016, 9:24am

NethServer Version: V7rc1
Module: Samba4 AD

Good day,

i’m playing around with my fresh installation test of Nethserver NG 7rc1 and Windows 7 professional.

I’m trying to define some ACLs to shares, files and subfolders created on Nethserver but the rules that I set disappears when I confirm the new configuration.

I have read these documents:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Setup_share_permissions_.28optional.29

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Set_ACLs_on_the_root_of_a_share

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Set_ACLs_on_subfolders_of_a_share

I logged in my windows 7 with domain administrator user and made that reported in previous links.

But when i click on “OK” to confirm the ACL they simply disappears from list and thery aren’t applied.

I attrach the configuration of a share that i have created in Nethserver NG 7rc1

Ciao

davidep · October 25, 2016, 9:28am

Could you also attach the output of

getfacl /var/lib/nethserver/ibay/share01

Do you have other shared folders too?

saitobenkei · October 25, 2016, 9:35am

This is the output of

getfacl /var/lib/nethserver/ibay/share01

[root@neth7 ~]# getfacl /var/lib/nethserver/ibay/share01
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/share01
# owner: administrator@bmc.local
# group: domain\040users@bmc.local
# flags: -s-
user::rwx
group::rwx
other::---

I have a “share02” defined with the same configuration of “share01” except “Allow write permission to owning group” and “Network Recycle Bin” that aren’t flagged.

The output of

getfacl /var/lib/nethserver/ibay/share02

[root@neth7 ~]# getfacl /var/lib/nethserver/ibay/share02
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/share02
# owner: administrator@bmc.local
# group: domain\040users@bmc.local
# flags: -s-
user::rwx
group::r-x
other::---

EDIT: share02 has same behiavour of share01 when i try to change permissions of share itself or of elements in the share

davidep · October 25, 2016, 9:47am

Administrator is the dir owner, as I expected… I must investigate this! Thank you again, @saitobenkei !

saitobenkei · October 25, 2016, 3:48pm

I have read this document trying the indicated steps:

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

When i try this command
( https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#SeDiskOperatorPrivilege)

“In the following, we will grant the privilege to the group “Domain Admins”, but before doing this, make sure that the group is available to the local OS by NSS; usually via Winbindd:”

# getent group "Domain Admins"
domain admins:x:10001:

I don’t have any otuput

“If you don’t get an output showing the queried name and its ID, there may be something wrong in your NSS configuration or if you are using Winbindd with RFC2307 (idmap_ad), you might not have an ID assigned (see User and group management for how to administer Unix Attributes in an AD). If the “Domain Admins” group is available to the OS, you can grant the SeDiskOperatorPrivilege privilege to (add the “-I dc1.samdom.example.com” if you had the previous error with NT_STATUS_CANT_ACCESS_DOMAIN_INFO)_:”

Then, when i confirm a ACL in Windows, in /var/log/samba/log.IP_OF_THE_PC i have these entry logged:

[2016/10/25 17:22:10.291691,  0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
create_canon_ace_lists: unable to map SID S-1-5-21-3602257460-887192637-3718906551-1112 to uid or gid.

davidep · November 3, 2016, 4:31pm

I confirm. I get the same message in that log file, if I try to set an ACL from a win10 client. I couldn’t reproduce the problem with smbcacls command, though.

There are a lot of things that have changed on ns7 File server module. This is a bug, but I have no idea where to start

Samba 4
ADS mode
idmap
xfs
…

Edit: I set up the following environment

Microsoft Active Directory
vm2, ns6 server in ads mode joined to AD - samba-3.6.23-36.el6_8.x86_64
vm4, ns7 server joined to AD - samba-4.2.10-7.el7_2.x86_64
windows 10 client to set ACLs

The bug is reproducible on ns7:

# tail -F /var/log/samba/log.192.168.122.191 
[2016/11/03 18:23:56.490772,  0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
  create_canon_ace_lists: unable to map SID S-1-5-21-****-****-****-1112 to uid or gid.

So we should investigate the File server module of ns7

davidep · November 4, 2016, 8:58am

It seems the workaround is trivial thanks to Upstream

Please @saitobenkei, could you confirm it works for you?

yum install sssd-libwbclient
systemctl restart smb nmb

Reference

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html#CIFS-SSSD

BTW I was sure that dependency was already installed…

saitobenkei · November 4, 2016, 10:10am

@davidep, I made a quick try after installing sssd-libwbclient an it seems to work now.

davidep · November 4, 2016, 10:20am

Thank you, I’ve added this bug here

davidep · November 7, 2016, 8:55am

A package to test the fix is available:

yum localinstall http://packages.nethserver.org/nethserver/7.2.1511/testing/x86_64/Packages/nethserver-samba-2.0.1-1.3.g2ba75e9.ns7.noarch.rpm

alefattorini · November 8, 2016, 3:39pm

It’s already verified, @saitobenkei could you try it?

davidep · November 23, 2016, 11:38am

UPDATE: the fix to this is now an optional feature that must be enabled. For more info, please see

alefattorini · November 24, 2016, 2:25pm

Can we close it @saitobenkei ?

davidep · November 27, 2016, 8:16pm

This topic was automatically closed after 3 days. New replies are no longer allowed.