A small group of us have been trying to get our Ubuntu servers fully integrated into AD with sssd and Samba. We have slowly chipped away at the issues. We believe we are left with one major issue: Windows cannot set ACLs through Samba. The Windows permission dialog seems to work, but when you click Apply they vanish, and getfacl on Ubuntu shows they were not applied.
The host is Ubuntu 16.04.2, up to date as of today, so sssd 1.13.4-1ubuntu1.1 and Samba 2:4.3.11+dfsg-0ubuntu0.16.04.3. Our AD is set up with OU.AD3.UCDAVIS.EDU as a child domain in the same forest as the parent domain, AD3.UCDAVIS.EDU, with users in AD3.UCDAVIS.EDU and computers and groups in OU.AD3.UCDAVIS.EDU. The sssd part seems to be setup correctly. We can login via SSH and auth correctly with Samba. Windows honors the ACLs that are set on the Ubuntu side, but setting ACLs on Windows fails to actually apply. The Samba config is attached. [storage] is on ZFS with: root@phys-adtest:~# zfs get all storage | grep acl storage aclinherit restricted local storage acltype posixacl local And [storage2] is on ext4 with the user_xattr mount option added. The behavior, where ACLs vanish after clicking Apply in Windows is the same with both of them. I had previously found a thread with the issue on a Samba mailing list indicating it "must be a sssd issue because it works with winbind", but can't find the thread now. Anyone have any clues as to what may be going wrong or what config options I should check? I can post debug logs if it would help. Thanks, Omen -- Omen Wild Systems Administrator Metro Cluster
# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Some options that are often worth tuning have been included as # commented-out examples in this file. # - When such options are commented with ";", the proposed setting # differs from the default Samba behaviour # - When commented with "#", the proposed setting is the default # behaviour of Samba but the option is considered important # enough to be mentioned here # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic # errors. #======================= Global Settings ======================= [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of security = ads workgroup = OU realm = OU.AD3.UCDAVIS.EDU netbios name = PHYS-ADTEST kerberos method = secrets and keytab client signing = yes client use spnego = yes template homedir = /home/%u password server = * server string = Samba Server log file = /var/log/samba/log.%m max log size = 5000 log level = 999 load printers = No cups options = raw # This stops an annoying message from appearing in logs printcap name = /dev/null local master = no domain master = no preferred master = no wins support = no wins proxy = no dns proxy = yes name resolve order = wins bcast host lmhosts #======================= Share Definitions ======================= # Un-comment the following (and tweak the other settings below to suit) # to enable the default home directory shares. This will share each # user's home directory as \\server\username [homes] comment = Home Directories browseable = no read only = no valid users = %S [storage] comment = PHYS-ADTEST Test space (ZFS) browseable = yes read only = no path = /storage writable = yes read only = no # https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs map acl inherit = yes store dos attributes = yes acl group control = yes dos filemode = yes # https://aisalen.wordpress.com/2007/08/10/acls-on-samba/ acl map full control = yes create mask = 0600 directory mask = 0700 # http://www.techtutorials.net/articles/integrating_a_linux_server_into_active_directory_using_samba_a.html inherit acls = yes inherit permissions = yes [storage2] comment = PHYS-ADTEST Test space (ext4) browseable = yes read only = no path = /storage2 writable = yes read only = no # https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs map acl inherit = yes store dos attributes = yes acl group control = yes dos filemode = yes # https://aisalen.wordpress.com/2007/08/10/acls-on-samba/ acl map full control = yes create mask = 0600 directory mask = 0700 # http://www.techtutorials.net/articles/integrating_a_linux_server_into_active_directory_using_samba_a.html inherit acls = yes inherit permissions = yes
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
