ACLs showing users as groups and groups as users

This document (7017176) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)

Situation

When a file is created through samba (on CIFS or Windows on a "mapped network drive"), groups show up as users and users are displayed as groups in the ACLs created by Samba.
For example getfacl will display the following:

# file: test/file
# owner: testuser
# group: domain\040users
user::rwx
user:domain\040users:r--          <--incorrect: "Domain Users" is the group
group::r--
group:domain\040users:r--
group:testuser:rwx                <--incorrect: "testuser" is the user/owner
mask::rwx
other::r--

Resolution

In /etc/samba/smb.conf set 'acl_xattr:ignore system acls' to 'yes':

acl_xattr:ignore system acls = yes

Then 'getfacl' will report the correct user/groups:

# file: test/file_ignore
# owner: testuser
# group: domain\040users
user::rw-
group::r--
other::r--


The documentation 'man vfs_acl_xattr' explains the option:

acl_xattr:ignore system acls = [yes|no]

"When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module.
The default is no, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs.
This is better if you need your system ACLs be set for local or NFS file access, too.
If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility."

Cause

The behavior or situation is how the mapping of ACLs is done.
The code that evaluates the system ACL makes a conversion based on the Relative Identifiers (RID) for the group and user Access Control Entries (ACE) that it finds.
There is specific logic there to duplicate the RID(s) that have type ID_TYPE_BOTH (which is the case in the example, presumably as a result of using the idmap_rid backend). 
E.g. an ACE for a group rid is duplicated as a user ACE, similarly an ACE for a group RID is duplicated as a user ACE and those ACEs are set on the file.
That's why group ids are seen as owner (and vice versa) when 'ignore system acls' is set to no.
The logic in the 'ignore system = yes' case takes a different route.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017176
  • Creation Date: 20-Jan-2016
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center