[Samba] Fwd: Samba4 - ACL not applied/followed (worked in samba 3.0.11)
Michal Hajek
Hajek67 at gmail.com
Mon Dec 16 05:10:04 MST 2013
Here it is (xxxxxxxed and without insignificant shares).
# Global parameters
[global]
dos charset = CP852
unix charset = ISO8859-2
workgroup = NIS
server string = UHN a.s. (%v on %h)
passdb backend = ldapsam:ldapxxxxxxxxx
log level = 0 passdb:3 auth:3 winbind:3
syslog = 0
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = host bcast
socket options = TCP_NODELAY,SO_KEEPALIVE
add user script = /usr/sbin/useradd -d /dev/null -g users -s /bin/false
-M %u
add machine script = /usr/local/bin/AMnew '%u'
logon script = smbprofile.bat
logon path = \\%h\profiles\%U
logon drive = S:
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = xxxxxxxxxxx
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap suffix = dc=nspuh,dc=cz
ldap ssl = no
ldap user suffix = ou=people
panic action = /usr/share/samba/panic-action %d
template homedir = /profiles/DEFAULT
idmap config * :backend = tdb
idmap config * :range =
admin users =xxxxxxxxxxxxxxx
root preexec = /usr/local/bin/RPE4 '%u' 'GLOBALS' '%m' '%a'
follow symlinks = yes
wide links = yes
allow insecure wide links = yes
## default encrypt passwords = yes
## default obey pam restrictions = no
## ldapsam:trusted = yes ## nejede s 3.0.11
[homes]
comment = Home Directories
path = /home/%u
read only = No
create mask = 0700
directory mask = 0700
inherit acls = Yes
browseable = No
root preexec = /usr/local/bin/RPE4 '%u' 'HOMESHARE' '%m' '%a'
[profiles]
comment = Profile Share
path = /home/profiles
read only = No
directory mask = 0700
profile acls = Yes
browseable = No
csc policy = disable
root preexec = /usr/local/bin/RPE4 '%u' 'PROFILES' '%m' '%a'
[NETLOGON]
comment = Network Logon Service
path = /home/netlogon
write list = xxxxx
guest ok = Yes
browseable = No
On Mon, Dec 16, 2013 at 12:46 PM, Rowland Penny <rowlandpenny at googlemail.com
> wrote:
> On 16/12/13 11:23, Michal Hajek wrote:
>
>> I start smbd and nmbd (and no winbind), so I expect "v3" behaviour.
>> Including ACL. Am I right? But ACL are not applied on shares. Any new
>> parameters for v4 needed?
>>
>> Michal
>>
>>
>> On Mon, Dec 16, 2013 at 12:13 PM, Rowland Penny <
>> rowlandpenny at googlemail.com
>>
>>> wrote:
>>> On 16/12/13 11:00, Michal Hajek wrote:
>>>
>>> For clarity: By ACL I mean LINUX ACLs (seftacl, getfacl), NOT anything
>>> set from Windows clients.
>>>
>>> On Mon, Dec 16, 2013 at 11:32 AM, Rowland Penny <
>>> rowlandpenny at googlemail.com> wrote:
>>>
>>> On 09/12/13 08:39, Michal Hajek wrote:
>>>>
>>>> OK, I will answer myself to myself.
>>>>>
>>>>> Its is because samba3 capabilities is NOT subset of samba4 ones. Samba4
>>>>> seems not to bother with Linux ACL at all (or maybe only in some magic
>>>>> way,
>>>>> which I did not discovered in a week of searching)! When I compiled
>>>>> and
>>>>> run v3.6, everything works as expected at first try.
>>>>>
>>>>> Do you have ACL's turned on for the partions that hold the shares?
>>>>
>>>>
>>>> Do you mean on the Linux FS? Yes, of course, as you can see in my
>>> first
>>> mail (ACL is on and it works both directly on Linux FS and Samba v3
>>> shares).
>>> If you mean "explicitly in the share section of your smb.conf" then no.
>>> I do not know how to do that. I had spent nice few hours trying to
>>> configure that. (And I must say Samba documentation really sucks.)
>>>
>>>
>>>
>>>> So for all wondering which version to choose when upgrading to v4 from
>>>>> v3
>>>>> (with no need of AD ) - if you use -or plan using- linux ACL, your ONLY
>>>>> ONE
>>>>> choice is v3.
>>>>>
>>>>> I can not get that such insidious v4 behaviour is not clearly stated on
>>>>> samba pages.
>>>>>
>>>>> Michal
>>>>>
>>>>> Yes you are right Samba4 does work differently from S3 when running
>>>>> in
>>>>>
>>>> AD mode, it runs like a windows server, but you can run Samba4 just
>>>> like S3
>>>> and if that is all you require, then I suggest that this is what you
>>>> do. S3
>>>> is in security fixes mode now and will be discontinued sometime in
>>>> August
>>>> 2014 (approx).
>>>>
>>>>
>>>> V 4.1.0 compiled, started, ACL on shares not working.
>>> V 3.6.22 compiled, started, ACL on shares working (the same smb.conf).
>>>
>>> How can I "run Samba4 just like S3"? It is possible I am missing some
>>> additional v4 parameter/setting, but I did not find which one.
>>>
>>> Thanks,
>>> Michal
>>>
>>>
>>>
>>> Rowland
>>>>
>>>>
>>>>
>>>> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com>
>>>>> wrote:
>>>>>
>>>>> Hi.
>>>>>
>>>>>> samba 4.1.1.. User has unix rights for writing, but samba denies write
>>>>>> access to him.
>>>>>>
>>>>>> On samba server:
>>>>>> amistest at samba:~$ id
>>>>>> uid=6603(amistest) gid=20(users-nis)
>>>>>>
>>>>>> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),
>>>>>> 2126(poj),2133(hto),20000(users)
>>>>>>
>>>>>> -> user amistest is in "poj" group
>>>>>>
>>>>>> amistest at samba:~$ ls -ld ACLTEST
>>>>>> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
>>>>>> amistest at samba:~$ getfacl ACLTEST/
>>>>>> # file: ACLTEST
>>>>>> # owner: hrubos
>>>>>> # group: vema
>>>>>> user::rwx
>>>>>> group::rwx
>>>>>> group:poj:rwx
>>>>>> mask::rwx
>>>>>> other::r-x
>>>>>>
>>>>>> -> group poj can write in ACLTEST directory
>>>>>>
>>>>>> amistest at samba:~$ touch ACLTEST/test
>>>>>> amistest at samba:~$ ls -l ACLTEST
>>>>>> total 4
>>>>>> -rw-rwxr--+ 1 hrubos poj 0 Nov 27 10:54 POKUS
>>>>>> -rw-r--r-- 1 amistest users-nis 0 Nov 27 11:35 test
>>>>>> amistest at samba:~$
>>>>>>
>>>>>> -> user amistest can write in ACLTEST directory.
>>>>>>
>>>>>> On PC, amistest logged into domain (sorry, it is in Czech):
>>>>>>
>>>>>> S:\>dir ACLTEST
>>>>>>
>>>>>> Svazek v jednotce S je amistest.
>>>>>> Sériové číslo svazku je EE7A-B776.
>>>>>>
>>>>>> Výpis adresáře S:\ACLTEST
>>>>>>
>>>>>> 27.11.2013 11:03 <DIR> .
>>>>>> 04.11.2013 09:52 <DIR> ..
>>>>>> 27.11.2013 10:54 0 POKUS
>>>>>> 27.11.2013 11:35 0 test
>>>>>> 2 souborů, 0 bajtů
>>>>>> Adresářů: 2, Volných bajtů: 200 429 568
>>>>>>
>>>>>> -> user amistest sees ACLTEST directory
>>>>>>
>>>>>>
>>>>>> S:\>net group /domain poj
>>>>>> Požadavek bude zpracován na primárním řadiči domény NIS.
>>>>>>
>>>>>> Název skupiny poj
>>>>>> Komentář
>>>>>>
>>>>>> Členové
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> -----------
>>>>>> amistest .....
>>>>>>
>>>>>> Příkaz byl úspěšně dokončen.
>>>>>>
>>>>>> -> user amistest in in "poj" group (seen from pc)
>>>>>>
>>>>>>
>>>>>> S:\>mkdir ACLTEST\testdir
>>>>>> Přístup byl odepřen.
>>>>>>
>>>>>> -> user amistest can NOT write into the directory.
>>>>>>
>>>>>> Homes section of smb.conf:
>>>>>>
>>>>>> [homes]
>>>>>> comment = Home Directories
>>>>>> path = /home/%u
>>>>>> read only = No
>>>>>> create mask = 0700
>>>>>> directory mask = 0700
>>>>>> inherit acls = Yes
>>>>>> browseable = No
>>>>>> root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>>>>>>
>>>>>> The same configuration worked in samba 3.0.11.
>>>>>>
>>>>>> The questions are:
>>>>>> - how to check that samba 4.1.1 was compiled with acl support (I know
>>>>>> it
>>>>>> is default, but...)?
>>>>>> - which parameter for samba 4.1.1 am I missing?
>>>>>>
>>>>>> Thanks, Michal
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> When you provision S4 and then run it in AD mode, you start the
>>> samba
>>> daemon, this in turn starts the smbd daemon, you should then consider it
>>> to
>>> be a windows server and connect to it as if it was one.
>>>
>>> But you can set S4 just up like S3 and start the smbd & nmbd daemons (and
>>> optionally the winbind daemon), it will then work just an S3 machine, so
>>> you can set it up as an old style NT PDC, a standalone server or a
>>> memberserver joined to an AD domain, in fact anything an S3 machine can
>>> do,
>>> a S4 machine can do.
>>>
>>> If you do run S4 as an AD server, then connect to it as if it was a
>>> windows server and you will not go far wrong.
>>>
>>> Rowland
>>>
>>>
>>> Could you please post your (sanitized) smb.conf
>
> Rowland
>
>
More information about the samba
mailing list