0

Using a CentOS 7 Samba 4 file server, I am not able to modify "Security" permissions on a directory from the standard windows directory properties dialog.

I used realmd to join the CentOS VM to the windows domain, and am successfully able to log-in to the CentOS VM using windows domain credentials.

When I access the Windows Security tab on the shared directory, I can successfully add a domain user to the ACE, but no changes are ever made to the underlying ACL in CentOS (as seen by repeated getfacl on the dir.

Additionally, users having permissions appear as "Unix User\joe@domain-name.hq" rather than the expected "DOMAIN-NAME\joe" nomenclature.

Have I misconfigured something? Thank you for the help!!

I have a Samba share defined in smb.conf as:

[test]
    comment = First Test Share
    path = /smb_shares/d1
    public = no
    writeable = yes
    guest ok = no

Here is ls -ld on the directory, to show that ACLs are enabled:

drwxrwx---+ 3 administrator@domain-name.hq domain admins@domain-name.hq 16 Oct 27 11:11 /smb_shares/d1/

And here is the output of getfacl on that shared directory target:

    getfacl: Removing leading '/' from absolute path names
    # file: smb_shares/d1/
    # owner: administrator@domain-name.hq
    # group: domain\040admins@domain-name.hq
    user::rwx
    group::rwx
    other::---
    default:user::rwx
    default:group::rwx
    default:group:crew\040bosses@domain-name.hq:r--
    default:mask::rwx
    default:other::---

In the [globals] section of smb.conf I have included

    map archive = no
    store dos attributes = yes
    vfs objects = acl_xattr
    map acl inherit = yes
    inherit acls = yes
    force unknown acl user = yes
    oplocks = yes
    create mask = 0777
    directory mask = 0777
    use sendfile = yes
    unix extensions = no
    client ntlmv2 auth = yes
    wide links = yes
    socket options = TCP_NODELAY SO_KEEPALIVE

CentOS 7 Version Info: 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Joined to Windows AD domain using realmd:

    domain-name.hq
    type: kerberos
    realm-name: DOMAIN-NAME.HQ
    domain-name: domain-name.hq
    configured: kerberos-member
    server-software: active-directory
    client-software: sssd
    required-package: oddjob
    required-package: oddjob-mkhomedir
    required-package: sssd
    required-package: adcli
    required-package: samba-common
    login-formats: %U@domain-name.hq
    login-policy: allow-realm-logins
Joebocop
  • 101
  • 1

1 Answers1

0

You need to configure your file system to allow ACL and XATTR support.

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Cheers

Eduardo López
  • 101
  • 1
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. – kasperd Oct 27 '15 at 21:42
  • Agreed. I'll complete the answer with the relevant information asap – Eduardo López Oct 27 '15 at 21:58
  • Sorry for the confusion; filesystem is XFS on CentOS 7, and I believe that means that ACLs are enabled by default. As you can see from the output of getfacl the question, ACLs do exist on the directory in question. Here is the output of ls -ld: drwxrwx---+ 3 administrator@domain-name.hq domain admins@domain-name.hq 16 Oct 27 11:11 /smb_shares/d1/ – Joebocop Oct 27 '15 at 22:43
  • Oops, you are right :-) Should be enabled by default as stated in the docs. – Eduardo López Oct 28 '15 at 12:28