[Samba] Is it possible to 'getfacl' on a mounted samba share ?

Nicola Mingotti nmingotti at gmail.com
Sun Jan 24 16:30:47 UTC 2021 

Hi,

I have installed a Samba DC and a Samba based NAS to feed
a mainly Windows computer network. It is all working very well.

I am implementing the backup system right now and I found a problem with 
permissions
when working from Linux on the Samba shared directories.

If i run "getfacl" and "setfacl"
from the machine exporting the Samba disk it all works as expected. ok.

I can see all files permission from Windows computers mounting the Samba 
share. ok.

But, If I try to run "getfacl" from a linux machine mounting the
samba share I can't seen anything. Is it normal?

I mount the Samba share in Linux like this
---- /etc/fstab -----------------------------------
//nas.borghi.lan/sambaDisk/DiscoS/    /mnt/discoR   cifs 
cifsacl,credentials=/usr/local/etc/discoR.credentials    0    0
---------------------------------------------------
#> sudo mount /mnt/discoR

My /etc/samba/smb.conf is at the end of message.

I thought maybe it was because my linux box doesn't know about
AD users. So I made a test also from a Linux machine who joined
the Windows domain. No differences. I can't 'getfacl' at all.

Am i missing something fundamental? It maybe so, it is the first
time I am working seriously with Samba.

bye
Nicola



----- /etc/samba/smb.conf -----------------

# please ignore my comments, especially if in Italian.

[global]
    workgroup = WINDOM
    security = ADS
    realm = WINDOM.BORGHI.LAN

    # per le windows ACL
    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # rimuovere dopo il testing
    winbind enum users = yes
    winbind enum groups = yes

    # disable printing
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # logs
    # log file = /var/log/samba/%m.log
    # log level = 1
    log file = /var/log/samba/samba.log
    # log file = /var/log/samba/perPersonOrMachine/%U.log
    # log level = 1 smb:2 smb2:3
    # log level = 2 smb:2 smb2:2 vfs:9
    log level = 2 smb:2 smb2:2
    # . certo di gestirlo con logrotate
    # max file size 100 mega, si spera che logrotate lo tagli prima
    max log size = 100000

    # ---- ID mapping backend rid -------
    # Default ID mapping configuration for local BUILTIN accounts
    # and groups on a domain member. The default (*) domain:
    # - must not overlap with any domain ID mapping configuration!
    # - must use a read-write-enabled back end, such as tdb.
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    # - You must set a DOMAIN backend configuration
    # idmap config for the SAMDOM domain
    idmap config WINDOM : backend = rid
    idmap config WINDOM : range = 10000-999999

    # Template settings for login shell and home directory
    template shell = /bin/bash
    template homedir = /home/WINDOM-%U

    # mappare "Administrator" a "root"
    username map = /usr/local/samba/etc/user.map

# directory che funge da disco in condivisione
[sambaDisk]
        path = /mnt/sambaShared/sambaDisk
        read only = no
        # --- mask di default per gli utenti
        create mask = 777
        directory mask = 777
        # -- cosa succede se un'utente se ne va ?
        #    meglio assicurarsi che non ci siano problemi fissando
        #    un default user e gruppo per tutti i file.
        #    (*) vale per i client windows. Non vale per Linux. Per Mac ?
        # => DISABILITATO, perche' nei log non vedo piu' chi apre i 
files, solo "root", ovunque
        # force user = root
        # force group = adm
        # inherit permissions = true
        # ---- carica moduli che servono
        # vfs objects = full_audit shadow_copy2
        vfs objects = shadow_copy2
        # -------------------------------
        # --- per l'audit ---------------
        # . disattivato, per issues con i log che non ripartono
        #   posso leggere gli accessi in lettura/scrittura ai files sui 
log di default.
        # opendir: troppi output, viene lette in automatico
        # questi non capisco cosa fanno: read write pread pwrite
        # full_audit:prefix = %u|%I
        # full_audit:success = open
        # full_audit:failure = all
        # full_audit:facility = LOCAL5
        # --------------------------------
        # ---- per le shadow copies ------
        shadow:snapdir = /mnt/sambaShared/snapshots
        shadow:basedir = /mnt/sambaShared/sambaDisk
        shadow:sort = desc

----------------------------------------------------------------

More information about the samba mailing list