I have created a test AD user with samba-tool. The uid 3000029 was assigned automatically to that user, and the user is a member of the "Domain Users" group (gid 100). On the server the user has an empty home directory and the ACL is set as follows: > smbserver test # pwd > /home/TESTDOMAIN/test > smbserver test # ls > smbserver test # getfacl . > # file: . > # owner: 3000029 > # group: users > user::rwx > user:3000029:rwx > group::r-x > mask::rwx > other::r-x > default:user::rwx > default:user:3000029:rwx > default:group::r-x > default:mask::rwx > default:other::r-x > smbserver test # getfattr . > smbserver test # Now when the user creates a folder in the directory through a Samba client (tested both Windows 7 and Linux), the ACL of the new folder gets messed up: > smbserver test # ls -l > drwxrwxr-x+ 2 3000029 users 4096 24. Dez 11:02 New Folder > smbserver test # getfacl New\ Folder > # file: New Folder > # owner: 3000029 > # group: users > user::rwx > group::r-x > group:users:r-x > group:3000029:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:3000029:rwx > default:group::r-x > default:group:users:r-x > default:group:3000029:rwx > default:mask::rwx > default:other::r-x > smbserver test # getfattr New\ Folder > # file: New Folder > user.DOSATTRIB > smbserver test # What looks particularily strange are these two entries in the ACL of "New Folder": > group:3000029:rwx > default:group:3000029:rwx There is no group with gid 3000029 on the system, neither locally, nor in the Active Directory. This is the relevant entry from idmap.ldb: > dn: CN=S-1-5-21-1013383079-493621684-2636636510-1110 > cn: S-1-5-21-1013383079-493621684-2636636510-1110 > objectClass: sidMap > objectSid: S-1-5-21-1013383079-493621684-2636636510-1110 > type: ID_TYPE_BOTH > xidNumber: 3000029 > distinguishedName: CN=S-1-5-21-1013383079-493621684-2636636510-1110 The objectSid is the SID of user "test". This means that the POSIX ACL *should* contain these lines: > user:3000029:rwx > default:user:3000029:rwx Server Setup: - Samba 4 as standalone AD DC - Server FS: ext4 with extended attributes
(In reply to comment #0) > I have created a test AD user with samba-tool. The uid 3000029 was assigned > automatically to that user, and the user is a member of the "Domain Users" > group (gid 100). On the server the user has an empty home directory and the ACL > is set as follows: > > > smbserver test # pwd > > /home/TESTDOMAIN/test > > smbserver test # ls > > smbserver test # getfacl . > > # file: . > > # owner: 3000029 > > # group: users > > user::rwx > > user:3000029:rwx > > group::r-x > > mask::rwx > > other::r-x > > default:user::rwx > > default:user:3000029:rwx > > default:group::r-x > > default:mask::rwx > > default:other::r-x > > smbserver test # getfattr . > > smbserver test # > > Now when the user creates a folder in the directory through a Samba client > (tested both Windows 7 and Linux), the ACL of the new folder gets messed up: > > > smbserver test # ls -l > > drwxrwxr-x+ 2 3000029 users 4096 24. Dez 11:02 New Folder > > smbserver test # getfacl New\ Folder > > # file: New Folder > > # owner: 3000029 > > # group: users > > user::rwx > > group::r-x > > group:users:r-x > > group:3000029:rwx > > mask::rwx > > other::r-x > > default:user::rwx > > default:user:3000029:rwx > > default:group::r-x > > default:group:users:r-x > > default:group:3000029:rwx > > default:mask::rwx > > default:other::r-x > > smbserver test # getfattr New\ Folder > > # file: New Folder > > user.DOSATTRIB > > smbserver test # > > What looks particularily strange are these two entries in the ACL of "New > Folder": > > group:3000029:rwx > > default:group:3000029:rwx > > There is no group with gid 3000029 on the system, neither locally, nor in the > Active Directory. This is the relevant entry from idmap.ldb: > > > dn: CN=S-1-5-21-1013383079-493621684-2636636510-1110 > > cn: S-1-5-21-1013383079-493621684-2636636510-1110 > > objectClass: sidMap > > objectSid: S-1-5-21-1013383079-493621684-2636636510-1110 > > type: ID_TYPE_BOTH > > xidNumber: 3000029 > > distinguishedName: CN=S-1-5-21-1013383079-493621684-2636636510-1110 > > The objectSid is the SID of user "test". This means that the POSIX ACL *should* > contain these lines: > > > user:3000029:rwx > > default:user:3000029:rwx No, the idmap entry is type: ID_TYPE_BOTH, which means the sid can be represented as a unix user and group. As samba adds the gid 3000029 to the users unix token, the kernel will still grant access. ID_TYPE_BOTH is needed in order to support sIDHistory feature of Active Directory, where a user account can get a new objectSid and keeps its old sids in the sIDHistory attribute. All sids from the sIDHistory will be added to the users NTTOKEN (a list of sids). As can be only one uid in a unix token, we need to map all uids to gids. ID_TYPE_BOTH is also needed to support group being the owner of files and directories, e.g. Builtin\Administrators are a very common owner of files and directories.