Hello.

I have a file server with samba and sssd. Is working perfectly.

The problem is when I define extended ACLs using windows explorer. Acls are
not applied in the file system to the groups and users of the domain.

But when I work with winbind I can apply the extended acls in the file
system.


Follow the contents of the sssd.conf and smb.conf file

[global]
WORKGROUP = DOMAINE
Realm = DOMAINA.COM
Netbios name = FILESERVER
Dedicated keytab file = /etc/krb5.keytab
Kerberos method = dedicated keytab
Security = ads
Log level = 3
Log file = /var/log/samba/log.all
Max log size = 4000
Domain master = no
Local master = no
# Enable Extended ACLs #
Map acl inherit = yes
Store dos attributes = yes
Vfs objects = acl_xattr
[rh]
Path = / mnt / samba / rh
; Valid users = manuel@coorp.gnulinux souza@coorp.gnulinux
Write list = @ "rh@coorp.gnulinux" @ "diretoria@coorp.gnulinux" @ "vendas@coorp.gnulinux"

[Sssd]
Domains = domaina.com
Config_file_version = 2
Services = nss, pam

[Domain / domaina.com]
Ad_domain = domaina.com
Krb5_realm = COORP.GNULINUX
Realmd_tags = manages-system joined-with-samba
Cache_credentials = True
Id_provider = ad
Krb5_store_password_if_offline = True
Default_shell = / bin / bash
Ldap_id_mapping = True
Use_fully_qualified_names = True
Fallback_homedir = / home /% u @% d
Access_provider = ad

Why does it happen ?
Can someone please help me?

--
Att,

Edson Oliveira
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 19 Mar 2017 17:09:32 -0300
edson via samba <samba@lists.samba.org> wrote:

Hello.

I have a file server with samba and sssd. Is working perfectly.

Is it ?

The problem is when I define extended ACLs using windows explorer.
Acls are not applied in the file system to the groups and users of
the domain.

There you go, it obviously isn't ;-)

But when I work with winbind I can apply the extended acls in the file system.

Then the obvious fix for your problem is to use the Samba supported
winbind instead of, the unsupported by Samba, sssd

sssd has nothing to do with Samba, so if you want to continue using
sssd, I would suggest you contact the sssd-users mailing list.

You should also note, if you are going to set the ACLs from windows,
you should not use the 'write list' option.

Rowland


--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thanks for the answer.

But even removing the write list parameter, the problem persists.

Excuse me. But the sssd service is working perfectly, and I see no reason
to ask for help on the sssd user list.

One important information is that when I apply the ACLs using the setfacl command the mapping is done and the permissions are applied.

But when I use windows explorer the ACLs permissions are not applied.

If anyone knows why this is happening, and be able to help me.

I thank you.

2017-03-19 17:39 GMT-03:00 Rowland Penny <rpenny@samba.org>:

On Sun, 19 Mar 2017 17:09:32 -0300
edson via samba <samba@lists.samba.org> wrote:

Hello.

I have a file server with samba and sssd. Is working perfectly.

Is it ?

The problem is when I define extended ACLs using windows explorer.
Acls are not applied in the file system to the groups and users of
the domain.

There you go, it obviously isn't ;-)

But when I work with winbind I can apply the extended acls in the file system.

Then the obvious fix for your problem is to use the Samba supported
winbind instead of, the unsupported by Samba, sssd

sssd has nothing to do with Samba, so if you want to continue using
sssd, I would suggest you contact the sssd-users mailing list.

You should also note, if you are going to set the ACLs from windows,
you should not use the 'write list' option.

Rowland

--
Att,

Edson de Abreu Oliveira
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 19 Mar 2017 18:03:34 -0300
edson <edeaoinfor@gmail.com> wrote:

Thanks for the answer.

But even removing the write list parameter, the problem persists.

Excuse me. But the sssd service is working perfectly, and I see no
reason to ask for help on the sssd user list.

Are you 100% sure this has nothing to do sssd ?

One important information is that when I apply the ACLs using the
setfacl command the mapping is done and the permissions are applied.

But when I use windows explorer the ACLs permissions are not applied.

This could still be down to sssd, but have you looked here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

If, after following that, it still doesn't work, then try the sssd
list, this may be something they have come across before.

Rowland


--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

First of all, thank you.

Yes. I'm sure sssd is running 100%.

The documentation of the link that passed me served as a basis to implement.

I'll follow your advice and I'll ask you on the sssd user list.

Even so, I hope someone else who went through the same score answers here.

Thank you all.

2017-03-19 18:16 GMT-03:00 Rowland Penny via samba <samba@lists.samba.org>:

On Sun, 19 Mar 2017 18:03:34 -0300
edson <edeaoinfor@gmail.com> wrote:

Thanks for the answer.

But even removing the write list parameter, the problem persists.

Excuse me. But the sssd service is working perfectly, and I see no
reason to ask for help on the sssd user list.

Are you 100% sure this has nothing to do sssd ?

One important information is that when I apply the ACLs using the
setfacl command the mapping is done and the permissions are applied.

But when I use windows explorer the ACLs permissions are not applied.

This could still be down to sssd, but have you looked here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

If, after following that, it still doesn't work, then try the sssd
list, this may be something they have come across before.

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--
Att,

Edson de Abreu Oliveira
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello.

I was able to solve the problem. The system was using the libwbclient
library of the samba package. I just did the following:

Yum install sssd-libwbclient

Set this new library installed with default on the system:

Alternatives --set libwbclient.so.0.12-64 /usr/lib64/sssd/modules/libwbclient.so.0.12.0

And restart the smbd and sssd daemons:

Systemctl restart sssd smbd

Now I can set the permissions of ACLs extended by windows explorer and the mapping is applied.

Thank you.

2017-03-19 18:36 GMT-03:00 edson <edeaoinfor@gmail.com>:

First of all, thank you.

Yes. I'm sure sssd is running 100%.

The documentation of the link that passed me served as a basis to
implement.

I'll follow your advice and I'll ask you on the sssd user list.

Even so, I hope someone else who went through the same score answers here.

Thank you all.

2017-03-19 18:16 GMT-03:00 Rowland Penny via samba <samba@lists.samba.org>
:

On Sun, 19 Mar 2017 18:03:34 -0300
edson <edeaoinfor@gmail.com> wrote:

Thanks for the answer.

But even removing the write list parameter, the problem persists.

Excuse me. But the sssd service is working perfectly, and I see no
reason to ask for help on the sssd user list.

Are you 100% sure this has nothing to do sssd ?

One important information is that when I apply the ACLs using the
setfacl command the mapping is done and the permissions are applied.

But when I use windows explorer the ACLs permissions are not applied.

This could still be down to sssd, but have you looked here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

If, after following that, it still doesn't work, then try the sssd
list, this may be something they have come across before.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
Att,

Edson de Abreu Oliveira

--
Att,

Edson de Abreu Oliveira
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 20 Mar 2017 23:05:46 -0300
edson <edeaoinfor@gmail.com> wrote:

Hello.

I was able to solve the problem. The system was using the libwbclient
library of the samba package. I just did the following:

Yum install sssd-libwbclient

So it wasn't a Samba problem and sssd wasn't working correctly even
though you were 100% sure it was ;-)

Rowland


--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

No. Samba and sssd were running 100%. The problem was the lack of a library
to make the communication between samba and sssd work at 100%.

Thank you.

2017-03-21 6:24 GMT-03:00 Rowland Penny via samba <samba@lists.samba.org>:

On Mon, 20 Mar 2017 23:05:46 -0300
edson <edeaoinfor@gmail.com> wrote:

Hello.

I was able to solve the problem. The system was using the libwbclient library of the samba package. I just did the following:

Yum install sssd-libwbclient

So it wasn't a Samba problem and sssd wasn't working correctly even
though you were 100% sure it was ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--
Att,

Edson de Abreu Oliveira
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)