I’m running some UCS servers in a mixed Windows AD - UCS domain. Plan is to do a domain takeover in the near futur. But for now I do have a strange ACL issue on the samba shares.
If I create files/folders or play with the ACL on the shares from a Windows client everything is working fine.
But if I mirror a share from a Windows server to one of the UCS servers using robocopy /MIR /COPYALL /ZB … I can’t access the shares one the UCS server anymore.
getfacl gives some strange things:
getfacl -n XXXXXXXX # file: XXXXXXXX # owner: 0 # group: 5001 user::rwx user:0:rwx group::--- group:5001:--- group:55003:rwx mask::rwx other::--- default:user::rwx default:user:0:rwx default:group::--- default:group:5001:--- default:group:55003:rwx default:mask::rwx default:other::---
I’ve made a script that basically copies the ACL from the 55xxx to the 5yyy and removes the 55xxx ACLs (same for uid and gid 0 to Administrator / Domain Admins)
For me it look like samba is getting confused between the different user backends. Normal access to the share uses uids and gids I get from NSS (getent…), whereas robocopy /COPYALL seems to set the uid and gid from the internal samba / ldap mapping (at least the ids are in the range defined in smb.conf for the ldap backend).
Maybe this is due to the fact that all domain users get the POSIX account enabled by the AD replication ?