A small group of us have been trying to get our Ubuntu servers fully integrated into AD with sssd and Samba. We have slowly chipped away at the issues. We believe we are left with one major issue: Windows cannot set ACLs through Samba. The Windows permission dialog seems to work, but when you click Apply they vanish, and getfacl on Ubuntu shows they were not applied.
The host is Ubuntu 16.04.2, up to date as of today, so sssd 1.13.4-1ubuntu1.1 and Samba 2:4.3.11+dfsg-0ubuntu0.16.04.3.
Our AD is set up with OU.AD3.UCDAVIS.EDU as a child domain in the same forest as the parent domain, AD3.UCDAVIS.EDU, with users in AD3.UCDAVIS.EDU and computers and groups in OU.AD3.UCDAVIS.EDU.
The sssd part seems to be setup correctly. We can login via SSH and auth correctly with Samba. Windows honors the ACLs that are set on the Ubuntu side, but setting ACLs on Windows fails to actually apply. The Samba config is attached.
[storage] is on ZFS with: root@phys-adtest:~# zfs get all storage | grep acl storage aclinherit restricted local storage acltype posixacl local
And [storage2] is on ext4 with the user_xattr mount option added.
The behavior, where ACLs vanish after clicking Apply in Windows is the same with both of them.
I had previously found a thread with the issue on a Samba mailing list indicating it "must be a sssd issue because it works with winbind", but can't find the thread now.
Anyone have any clues as to what may be going wrong or what config options I should check? I can post debug logs if it would help.
Thanks, Omen
On Wed, Feb 22, 2017 at 04:56:07PM -0800, Omen Wild wrote:
A small group of us have been trying to get our Ubuntu servers fully integrated into AD with sssd and Samba. We have slowly chipped away at the issues. We believe we are left with one major issue: Windows cannot set ACLs through Samba. The Windows permission dialog seems to work, but when you click Apply they vanish, and getfacl on Ubuntu shows they were not applied.
The host is Ubuntu 16.04.2, up to date as of today, so sssd 1.13.4-1ubuntu1.1 and Samba 2:4.3.11+dfsg-0ubuntu0.16.04.3.
Our AD is set up with OU.AD3.UCDAVIS.EDU as a child domain in the same forest as the parent domain, AD3.UCDAVIS.EDU, with users in AD3.UCDAVIS.EDU and computers and groups in OU.AD3.UCDAVIS.EDU.
The sssd part seems to be setup correctly. We can login via SSH and auth correctly with Samba. Windows honors the ACLs that are set on the Ubuntu side, but setting ACLs on Windows fails to actually apply. The Samba config is attached.
[storage] is on ZFS with: root@phys-adtest:~# zfs get all storage | grep acl storage aclinherit restricted local storage acltype posixacl local
And [storage2] is on ext4 with the user_xattr mount option added.
The behavior, where ACLs vanish after clicking Apply in Windows is the same with both of them.
I had previously found a thread with the issue on a Samba mailing list indicating it "must be a sssd issue because it works with winbind", but can't find the thread now.
Anyone have any clues as to what may be going wrong or what config options I should check? I can post debug logs if it would help.
Yes, Samba debug logs would be useful. One of the more recent issues which might not be fixed in the SSSD ubuntu package you use is https://fedorahosted.org/sssd/ticket/3028. Do you have a chance to test with SSSD 1.14.x?
HTH
bye, Sumit
Thanks, Omen
-- Omen Wild Systems Administrator Metro Cluster
# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Some options that are often worth tuning have been included as # commented-out examples in this file. # - When such options are commented with ";", the proposed setting # differs from the default Samba behaviour # - When commented with "#", the proposed setting is the default # behaviour of Samba but the option is considered important # enough to be mentioned here # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic # errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of security = ads workgroup = OU realm = OU.AD3.UCDAVIS.EDU
netbios name = PHYS-ADTEST
kerberos method = secrets and keytab
client signing = yes client use spnego = yes
template homedir = /home/%u
password server = *
server string = Samba Server
log file = /var/log/samba/log.%m max log size = 5000 log level = 999
load printers = No cups options = raw # This stops an annoying message from appearing in logs printcap name = /dev/null
local master = no domain master = no preferred master = no
wins support = no wins proxy = no dns proxy = yes name resolve order = wins bcast host lmhosts
#======================= Share Definitions =======================
# Un-comment the following (and tweak the other settings below to suit) # to enable the default home directory shares. This will share each # user's home directory as \server\username [homes] comment = Home Directories browseable = no read only = no
valid users = %S
[storage] comment = PHYS-ADTEST Test space (ZFS) browseable = yes read only = no path = /storage
writable = yes read only = no
# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs map acl inherit = yes store dos attributes = yes
acl group control = yes dos filemode = yes
# https://aisalen.wordpress.com/2007/08/10/acls-on-samba/ acl map full control = yes
create mask = 0600 directory mask = 0700
# http://www.techtutorials.net/articles/integrating_a_linux_server_into_active... inherit acls = yes inherit permissions = yes
[storage2] comment = PHYS-ADTEST Test space (ext4) browseable = yes read only = no path = /storage2
writable = yes read only = no
# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs map acl inherit = yes store dos attributes = yes
acl group control = yes dos filemode = yes
# https://aisalen.wordpress.com/2007/08/10/acls-on-samba/ acl map full control = yes
create mask = 0600 directory mask = 0700
# http://www.techtutorials.net/articles/integrating_a_linux_server_into_active... inherit acls = yes inherit permissions = yes
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Related note: Anyone knows if Samba honors NFSv4-style ACLs? We have a Netapp here which appears to be only NFSv4 server in the world having fully fledged ACLs functionality - unfortunately it can not translate NFSv4 acls to Windows ACLs despite their similarity. I was hoping Samba could possibly do a better job here... Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Thursday, February 23, 2017 9:35 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Setting ACLs through Samba from Windows?
On Wed, Feb 22, 2017 at 04:56:07PM -0800, Omen Wild wrote:
A small group of us have been trying to get our Ubuntu servers fully integrated into AD with sssd and Samba. We have slowly chipped away at the issues. We believe we are left with one major issue: Windows cannot set ACLs through Samba. The Windows permission dialog seems to work, but when you click Apply they vanish, and getfacl on Ubuntu shows they were not applied.
The host is Ubuntu 16.04.2, up to date as of today, so sssd 1.13.4-1ubuntu1.1 and Samba 2:4.3.11+dfsg-0ubuntu0.16.04.3.
Our AD is set up with OU.AD3.UCDAVIS.EDU as a child domain in the same forest as the parent domain, AD3.UCDAVIS.EDU, with users in AD3.UCDAVIS.EDU and computers and groups in OU.AD3.UCDAVIS.EDU.
The sssd part seems to be setup correctly. We can login via SSH and auth correctly with Samba. Windows honors the ACLs that are set on the Ubuntu side, but setting ACLs on Windows fails to actually apply. The Samba config is attached.
[storage] is on ZFS with: root@phys-adtest:~# zfs get all storage | grep acl storage aclinherit restricted local storage acltype posixacl local
And [storage2] is on ext4 with the user_xattr mount option added.
The behavior, where ACLs vanish after clicking Apply in Windows is the same with both of them.
I had previously found a thread with the issue on a Samba mailing list indicating it "must be a sssd issue because it works with winbind", but can't find the thread now.
Anyone have any clues as to what may be going wrong or what config options I should check? I can post debug logs if it would help.
Yes, Samba debug logs would be useful. One of the more recent issues which might not be fixed in the SSSD ubuntu package you use is https://fedorahosted.org/sssd/ticket/3028. Do you have a chance to test with SSSD 1.14.x?
HTH
bye, Sumit
Thanks, Omen
-- Omen Wild Systems Administrator Metro Cluster
# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Some options that are often worth tuning have been included as # commented-out examples in this file. # - When such options are commented with ";", the proposed setting # differs from the default Samba behaviour # - When commented with "#", the proposed setting is the default # behaviour of Samba but the option is considered important # enough to be mentioned here # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic # errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of security = ads workgroup = OU realm = OU.AD3.UCDAVIS.EDU
netbios name = PHYS-ADTEST
kerberos method = secrets and keytab
client signing = yes client use spnego = yes
template homedir = /home/%u
password server = *
server string = Samba Server
log file = /var/log/samba/log.%m max log size = 5000 log level = 999
load printers = No cups options = raw # This stops an annoying message from appearing in logs printcap name = /dev/null
local master = no domain master = no preferred master = no
wins support = no wins proxy = no dns proxy = yes name resolve order = wins bcast host lmhosts
#======================= Share Definitions =======================
# Un-comment the following (and tweak the other settings below to suit) # to enable the default home directory shares. This will share each # user's home directory as \server\username [homes] comment = Home Directories browseable = no read only = no
valid users = %S
[storage] comment = PHYS-ADTEST Test space (ZFS) browseable = yes read only = no path = /storage
writable = yes read only = no
# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs map acl inherit = yes store dos attributes = yes
acl group control = yes dos filemode = yes
# https://aisalen.wordpress.com/2007/08/10/acls-on-samba/ acl map full control = yes
create mask = 0600 directory mask = 0700
# http://www.techtutorials.net/articles/integrating_a_linux_server_into_active... inherit acls = yes inherit permissions = yes
[storage2] comment = PHYS-ADTEST Test space (ext4) browseable = yes read only = no path = /storage2
writable = yes read only = no
# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs map acl inherit = yes store dos attributes = yes
acl group control = yes dos filemode = yes
# https://aisalen.wordpress.com/2007/08/10/acls-on-samba/ acl map full control = yes
create mask = 0600 directory mask = 0700
# http://www.techtutorials.net/articles/integrating_a_linux_server_into_active... inherit acls = yes inherit permissions = yes
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
eQuoting Sumit Bose sbose@redhat.com on Thu, Feb 23 09:34:
Yes, Samba debug logs would be useful. One of the more recent issues which might not be fixed in the SSSD ubuntu package you use is https://fedorahosted.org/sssd/ticket/3028. Do you have a chance to test with SSSD 1.14.x?
I compiled the 1.14.2-2.1 source (which was temporarily in Zesty), but there was no change in behavior. I double checked, and the patch listed in the bug is applied.
The Samba logs (log level = 999) are available from: https://descolada.ucdavis.edu/d4dfd28c-fa22-11e6-9678-3417ebb1df52/
I broke the logs into 3 parts:
The login from a Windows 2016 server: 1-169.237.42.115.login.log
Loading the Windows Security dialog box: 2-169.237.42.115.acl-check.log
Trying to set the ACL: 3-169.237.42.115.acl-set.log
Thanks!
On Thu, Feb 23, 2017 at 03:53:56PM -0800, Omen Wild wrote:
eQuoting Sumit Bose sbose@redhat.com on Thu, Feb 23 09:34:
Yes, Samba debug logs would be useful. One of the more recent issues which might not be fixed in the SSSD ubuntu package you use is https://fedorahosted.org/sssd/ticket/3028. Do you have a chance to test with SSSD 1.14.x?
I compiled the 1.14.2-2.1 source (which was temporarily in Zesty), but there was no change in behavior. I double checked, and the patch listed in the bug is applied.
The Samba logs (log level = 999) are available from: https://descolada.ucdavis.edu/d4dfd28c-fa22-11e6-9678-3417ebb1df52/
I broke the logs into 3 parts:
The login from a Windows 2016 server: 1-169.237.42.115.login.log
Loading the Windows Security dialog box: 2-169.237.42.115.acl-check.log
Trying to set the ACL: 3-169.237.42.115.acl-set.log
Thank you for the logs. There is an issue in the logs related to mapping the root user. Are you trying to modify ACL for the root user or for some other user?
If it is about the root user then this behaviour is kind of expected because SSSD does not handle the root user when it comes to nss and PAM and this is inherited to the SID mapping code as well.
bye, Sumit
Thanks!
-- Omen Wild Systems Administrator Metro Cluster
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
eQuoting Sumit Bose sbose@redhat.com on Tue, Feb 28 10:00:
Thank you for the logs. There is an issue in the logs related to mapping the root user. Are you trying to modify ACL for the root user or for some other user?
If it is about the root user then this behaviour is kind of expected because SSSD does not handle the root user when it comes to nss and PAM and this is inherited to the SID mapping code as well.
Some other user. I login to a Windows box with my admin account (in the OU child domain) which is a member of the group that owns the folder (OU\metro-us-admins).
The directory I was trying to add permissions to was owned by root (see getfacl output below). I tried changing the owner of the folder to my active directory user (omen@ad3.ucdavis.edu), but it did not change the behavior, ACLs added in Windows still disappear when Apply is clicked. The weird part is that Windows did automatically add CREATOR OWNER and CREATOR GROUP ACLs successfully.
Thanks for the suggestions. I'll keep poking from my end.
root@phys-adtest:/storage# getfacl metro-us-admins/ # file: metro-us-admins/ # owner: root # group: metro-us-admins@ou.ad3.ucdavis.edu user::rwx group::rwx group:metro-us-admins@ou.ad3.ucdavis.edu:rwx mask::rwx other::rwx default:user::rwx default:group::rwx default:group:metro-us-admins@ou.ad3.ucdavis.edu:rwx default:mask::rwx default:other::---
Hi,
I am very interested in a resolution to this. I have seen exactly this behaviour.
I have tried changing the ownership of the shares on my samba server to use the domain administrator and group to domain admins. Then I am able to set ACL's on windows and they seem to get set. I can change share ownership, folder ownership and give users full control of folders. However despite the ACL's seemingly being set in windows they are never actually set at the file system level.
I thought I had some clues. In Windows the groups show as "metro-us-admins@ou.ad3.ucdavis.edu (Unix Group\metro-us-admins@ou.ad3.ucdavis.edu)" (see attached screenshot). Earlier today I had the following permissions on a folder:
# file: metro-us-admins/ # owner: root # group: metro-us-admins@ou.ad3.ucdavis.edu
And I was getting a permission denied trying to set the ACL from Windows. I though maybe it was because Windows was showing the group with the full domain instead of the short form (ou\metro-us-admins).
I was getting really frustrated, so I switched from sssd to winbind to see if I could get that working. The Windows permissions would set correctly, but I was unable to get groups to work in Ubuntu, so I switched back to sssd.
And ... now I can sort of set ACLs from Windows!?! I say almost because everyone seems to default to Full Control, and when I unmap/remap the drive it shows the SSID instead of the account name (see attached screenshot). getfacl actually shows the permissions:
----- Begin getfacl ----- root@phys-adtest:/storage# getfacl metro-us-admins/ # file: metro-us-admins/ # owner: root # group: metro-us-admins@ou.ad3.ucdavis.edu user::rwx user:root:rwx user:cmderr:r-x user:omen:rwx group::rwx group:metro-us-admins@ou.ad3.ucdavis.edu:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:cmderr:r-x default:user:omen:rwx default:group::--- default:group:metro-us-admins@ou.ad3.ucdavis.edu:--- default:mask::rwx default:other::--- ----- End getfacl -----
Does this ring any bells for anyone?
Thanks
sssd-users@lists.fedorahosted.org