ACLs showing users as groups and groups as users
This document (7017176) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Situation
When a file is created through samba (on CIFS or Windows on a
"mapped network drive"), groups show up as users and users are displayed as
groups in the ACLs created by Samba.
For example getfacl will display the following:
# file: test/file
# owner: testuser
# group: domain\040users
user::rwx
user:domain\040users:r-- <--incorrect: "Domain Users" is the group
group::r--
group:domain\040users:r--
group:testuser:rwx <--incorrect: "testuser" is the user/owner
mask::rwx
other::r--
For example getfacl will display the following:
# file: test/file
# owner: testuser
# group: domain\040users
user::rwx
user:domain\040users:r-- <--incorrect: "Domain Users" is the group
group::r--
group:domain\040users:r--
group:testuser:rwx <--incorrect: "testuser" is the user/owner
mask::rwx
other::r--
Resolution
In /etc/samba/smb.conf set 'acl_xattr:ignore system acls' to
'yes':
acl_xattr:ignore system acls = yes
Then 'getfacl' will report the correct user/groups:
# file: test/file_ignore
# owner: testuser
# group: domain\040users
user::rw-
group::r--
other::r--
The documentation 'man vfs_acl_xattr' explains the option:
acl_xattr:ignore system acls = [yes|no]
"When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module.
The default is no, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs.
This is better if you need your system ACLs be set for local or NFS file access, too.
If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility."
acl_xattr:ignore system acls = yes
Then 'getfacl' will report the correct user/groups:
# file: test/file_ignore
# owner: testuser
# group: domain\040users
user::rw-
group::r--
other::r--
The documentation 'man vfs_acl_xattr' explains the option:
acl_xattr:ignore system acls = [yes|no]
"When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module.
The default is no, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs.
This is better if you need your system ACLs be set for local or NFS file access, too.
If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility."
Cause
The behavior or situation is how the mapping of ACLs is done.
The code that evaluates the system ACL makes a conversion based on the Relative Identifiers (RID) for the group and user Access Control Entries (ACE) that it finds.
There is specific logic there to duplicate the RID(s) that have type ID_TYPE_BOTH (which is the case in the example, presumably as a result of using the idmap_rid backend).
E.g. an ACE for a group rid is duplicated as a user ACE, similarly an ACE for a group RID is duplicated as a user ACE and those ACEs are set on the file.
That's why group ids are seen as owner (and vice versa) when 'ignore system acls' is set to no.
The logic in the 'ignore system = yes' case takes a different route.
The code that evaluates the system ACL makes a conversion based on the Relative Identifiers (RID) for the group and user Access Control Entries (ACE) that it finds.
There is specific logic there to duplicate the RID(s) that have type ID_TYPE_BOTH (which is the case in the example, presumably as a result of using the idmap_rid backend).
E.g. an ACE for a group rid is duplicated as a user ACE, similarly an ACE for a group RID is duplicated as a user ACE and those ACEs are set on the file.
That's why group ids are seen as owner (and vice versa) when 'ignore system acls' is set to no.
The logic in the 'ignore system = yes' case takes a different route.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7017176
- Creation Date: 20-Jan-2016
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
