ACL aren't applied in samba4 AD shares/subfolders/files

NethServer Version: V7rc1
Module: Samba4 AD

Good day,

i’m playing around with my fresh installation test of Nethserver NG 7rc1 and Windows 7 professional.

I’m trying to define some ACLs to shares, files and subfolders created on Nethserver but the rules that I set disappears when I confirm the new configuration.

I have read these documents:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Setup_share_permissions_.28optional.29

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Set_ACLs_on_the_root_of_a_share

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Set_ACLs_on_subfolders_of_a_share

I logged in my windows 7 with domain administrator user and made that reported in previous links.

But when i click on “OK” to confirm the ACL they simply disappears from list and thery aren’t applied.

I attrach the configuration of a share that i have created in Nethserver NG 7rc1

Ciao

1 Like

Could you also attach the output of

getfacl /var/lib/nethserver/ibay/share01

Do you have other shared folders too?

This is the output of

getfacl /var/lib/nethserver/ibay/share01

[root@neth7 ~]# getfacl /var/lib/nethserver/ibay/share01
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/share01
# owner: administrator@bmc.local
# group: domain\040users@bmc.local
# flags: -s-
user::rwx
group::rwx
other::---

I have a “share02” defined with the same configuration of “share01” except “Allow write permission to owning group” and “Network Recycle Bin” that aren’t flagged.

The output of

getfacl /var/lib/nethserver/ibay/share02

[root@neth7 ~]# getfacl /var/lib/nethserver/ibay/share02
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/share02
# owner: administrator@bmc.local
# group: domain\040users@bmc.local
# flags: -s-
user::rwx
group::r-x
other::---

EDIT: share02 has same behiavour of share01 when i try to change permissions of share itself or of elements in the share

1 Like

Administrator is the dir owner, as I expected… I must investigate this! Thank you again, @saitobenkei !

1 Like

I have read this document trying the indicated steps:

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

When i try this command
( https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#SeDiskOperatorPrivilege)

“In the following, we will grant the privilege to the group “Domain Admins”, but before doing this, make sure that the group is available to the local OS by NSS; usually via Winbindd:”

# getent group "Domain Admins"
domain admins:x:10001:

I don’t have any otuput

“If you don’t get an output showing the queried name and its ID, there may be something wrong in your NSS configuration or if you are using Winbindd with RFC2307 (idmap_ad), you might not have an ID assigned (see User and group management for how to administer Unix Attributes in an AD). If the “Domain Admins” group is available to the OS, you can grant the SeDiskOperatorPrivilege privilege to (add the “-I dc1.samdom.example.com” if you had the previous error with NT_STATUS_CANT_ACCESS_DOMAIN_INFO)_:”

Then, when i confirm a ACL in Windows, in /var/log/samba/log.IP_OF_THE_PC i have these entry logged:

[2016/10/25 17:22:10.291691,  0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
create_canon_ace_lists: unable to map SID S-1-5-21-3602257460-887192637-3718906551-1112 to uid or gid.

I confirm. I get the same message in that log file, if I try to set an ACL from a win10 client. I couldn’t reproduce the problem with smbcacls command, though.

There are a lot of things that have changed on ns7 File server module. This is a bug, but I have no idea where to start :slight_frown:

  • Samba 4
  • ADS mode
  • idmap
  • xfs

Edit: I set up the following environment

  • Microsoft Active Directory
  • vm2, ns6 server in ads mode joined to AD - samba-3.6.23-36.el6_8.x86_64
  • vm4, ns7 server joined to AD - samba-4.2.10-7.el7_2.x86_64
  • windows 10 client to set ACLs

The bug is reproducible on ns7:

# tail -F /var/log/samba/log.192.168.122.191 
[2016/11/03 18:23:56.490772,  0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
  create_canon_ace_lists: unable to map SID S-1-5-21-****-****-****-1112 to uid or gid.

So we should investigate the File server module of ns7

It seems the workaround is trivial thanks to Upstream :grin:

Please @saitobenkei, could you confirm it works for you?

yum install sssd-libwbclient
systemctl restart smb nmb

Reference

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html#CIFS-SSSD

BTW I was sure that dependency was already installed… :rolling_eyes:

@davidep, I made a quick try after installing sssd-libwbclient an it seems to work now.

2 Likes

Thank you, I’ve added this bug here

A package to test the fix is available:

yum localinstall http://packages.nethserver.org/nethserver/7.2.1511/testing/x86_64/Packages/nethserver-samba-2.0.1-1.3.g2ba75e9.ns7.noarch.rpm
2 Likes

It’s already verified, @saitobenkei could you try it?

UPDATE: the fix to this is now an optional feature that must be enabled. For more info, please see

Can we close it @saitobenkei ?

This topic was automatically closed after 3 days. New replies are no longer allowed.