SLES 11 SP1 with SAMBA/Winbind joined to Active Directory “AD” using AD Role Groups in ACLs on ext3 Filesystem
Im playing around with Linux Filesystem ACLs on a ext3 FS but using Active Directory (AD-)Users and AD-Groups for access controll to files and folders, thanks to winbind this is.
While i have to use “setfacl” just the way its been described in the man page using properly formed “AD\adgroupname” and “AD\adusername” syntax, the “getfacl” however returns ALWAYS something strange i was not able to find something matching on the internet nor the man page nor the suse manuals.
As you can see, local Linux-Users and Groups (not shown here but been tested) will be shown correctly and as expected. AD Users and AD Groups however contain some strange “number” after the Domain Prefix and the before the AD-Group- or AD-Username.
Anyone here KNOWS what this is and why its there?
i compared this to some ancient debian 5 installation that we had laying around. NOT joined to an AD but also runs some old SAMBA as a primary domain controller. There it seems its pretty much the same. Whenever some “windows user” or “windows group” has been written to the filesystem ACL the getfacl reports that strange number in between.
On 11/20/2012 11:54 PM, axel1973 wrote:[color=blue]
Given:
SLES 11 SP1 with SAMBA/Winbind joined to Active Directory “AD” using
AD Role Groups in ACLs on ext3 Filesystem
Im playing around with Linux Filesystem ACLs on a ext3 FS but using
Active Directory (AD-)Users and AD-Groups for access controll to
files and folders, thanks to winbind this is.
While i have to use “setfacl” just the way its been described in the
man page using properly formed “AD\adgroupname” and “AD\adusername”
syntax, the “getfacl” however returns ALWAYS something strange i was
not able to find something matching on the internet nor the man page
nor the suse manuals.
As you can see, local Linux-Users and Groups (not shown here but
been tested) will be shown correctly and as expected. AD Users and AD
Groups however contain some strange “number” after the Domain Prefix
and the before the AD-Group- or AD-Username.
Anyone here KNOWS what this is and why its there?
i compared this to some ancient debian 5 installation that we had
laying around. NOT joined to an AD but also runs some old SAMBA as a
primary domain controller. There it seems its pretty much the same.
Whenever some “windows user” or “windows group” has been written to
the filesystem ACL the getfacl reports that strange number in
between.[/color]
Just a wild guess, but have you checked into the idmap settings in your
samba.conf file? I didn’t set up samba here at work and the person who
did is on leave right now, but I vaguely recall he had to set the
following so that the account IDs on the Linux side corresponded with
what came from AD.
there is no such thing like a “samba.conf” on a SLES 11 Server.
My /etc/samba/smb.conf is pretty much “default” SLES (after Active Domain Join) and only changes to some shares has been done using YAST only. I try to follow the “SuSE WAY” as much as possible.
Even though i dont think this has something to do with my getfacl observation my /etc/samba/smb.conf looks like this:
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2012-04-24
[global]
workgroup = AD
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\\\%L\\profiles\\.msprofile
logon home = \\\\%L\\%U\\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = AD.TLD.DE
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
wins support = No
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
create mask = 600
directory mask = 700
## Share disabled by YaST
# [profiles]
# comment = Network Profiles Service
# path = %H
# read only = No
# store dos attributes = Yes
# create mask = 0600
# directory mask = 0700
## Share disabled by YaST
# [users]
# comment = All users
# path = /home
# read only = No
# inherit acls = Yes
# veto files = /aquota.user/groups/shares/
## Share disabled by YaST
# [groups]
# comment = All groups
# path = /home/groups
# read only = No
# inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[data1]
comment = data1 volume
inherit acls = Yes
path = /data1
read only = No
create mask = 0660
directory mask = 0770
hide dot files = Yes
hide unreadable = No
valid users = @AD\\ROL-GRP-ACCESS-CONTROL-HOSTNAME
[QUOTE=malcolmlewis;10388]Hi
I’ve asked my SUSE contacts to look at your post, stay tuned
[/QUOTE]
Well…thats pretty much what i have expected from SuSE/Novell… NOTHING.
But i am pretty surprised that the SuSE Community AND the Samba Comunity (SAMBA Mailing list) seems not to know what this strange numbers are supposed to mean, neither. I posted just the same question and examples on the SAMBA Mailing List a week ago or so… its just the same…SILENCE.
Realy Strange! No one else using Linux ACLs with SAMBA or Active-Directory out there?!
Does an Admin realy need to dig in the source code to get a clue whats going on with this getfacl / setfacl tools ?
On 11/29/2012 01:24 AM, axel1973 wrote:[color=blue]
uhh… ?!
there is no such thing like a “samba.conf” on a SLES 11 Server.[/color]
Um, yeah, /etc/samba/smb.conf. Occured to me after I posted but figured
you’d figure out what I meant.
[color=blue]
My /etc/samba/smb.conf is pretty much “default” SLES (after Active
Domain Join) and only changes to some shares has been done using YAST
only. I try to follow the “SuSE WAY” as much as possible.
Even though i dont think this has something to do with my getfacl
observation my /etc/samba/smb.conf looks like this:[/color]
What does wbinfo -u show? Any numbers there?
…Kevin
Kevin Miller
Juneau, Alaska http://www.alaska.net/~atftb
“In the history of the world, no one has ever washed a rented car.”
Its getfacl (and setfacl) only who report those strange numbers within the active-directory user name/group name. of course setfacl does not “report” those number BUT it seems to “tollerate” it when the output of getfacl is used to “restore” ACLs later with setfacl. Saying that setfacl does not complain about those numbers there when it finds it reading the ascii file.
So… i asume this “number thing” may be something on purpose. but strangely there seems no page on the net mentioning this or someone knowing what this number is about and why its there.
Its getfacl (and setfacl) only who report those strange numbers within
the active-directory user name/group name. of course setfacl does not
“report” those number BUT it seems to “tollerate” it when the output of
getfacl is used to “restore” ACLs later with setfacl. Saying that
setfacl does not complain about those numbers there when it finds it
reading the ascii file.
So… i asume this “number thing” may be something on purpose. but
strangely there seems no page on the net mentioning this or someone
knowing what this number is about and why its there.[/color]
Really odd. I’d think it’s not on purpose because nobody else is seeing
it (apparently). If you look in your /etc/passwd file do any of the
strange numbers in the getfacl output align with corresponding account
numbers in passwd? Not sure what that tells us if so, other than maybe
it’s concatenating the Linux account ID and the smb user/group name…
…Kevin
Kevin Miller
Juneau, Alaska http://www.alaska.net/~atftb
“In the history of the world, no one has ever washed a rented car.”