[ANNOUNCE] Samba 4.0 beta5
Andrew Bartlett
abartlet at samba.org
Wed Aug 1 17:02:11 MDT 2012
On Wed, 2012-08-01 at 15:49 -0700, Scott Jordahl wrote:
> I'm a little confused on this whole ACL and s3fs file system issue.
>
> > Modifying of group policies by members of the Domain Administrators
> > group is not possible with the s3fs file server, only with the ntvfs
> > file server. This is due to the underlying POSIX ACL not being set
> > at provision time.
>
> I have a production site that's running and now using s3fs. I elected to
> create a whole new, clean domain using beta4 (they had a Win2k3 domain).
> There's only 15 users/computers, so it wasn't too hard to re-create. The
> server was previously acting as a file server, running Samba3 and acting
> as a member server to the older Win2k3 AD domain (The samba server,
> BTW, is Ubuntu 10.04 LTS x64)..
>
> To enable GPOs, is there a way to use setfacl set the necessary ACL
> default values after the provisioning? If so, what ACLs need to be set?
> Do you set ACLs on all files/directories in the file shares or just the
> ones in SYSVOL? It's also a little confusing on how Windows ACLs map to
> Posix ACLs. What ACL values need to be set? I need to clean up file
> access as the files/folders still hold old S3 IDMAP entries.
So, what is set by provision will allow GPOs to work, because from the
client the read access is all correct, and the ACLs match.
However, for writes it only works as administrator, because I
misunderstood the smbd ACL model. In smbd, the POSIX ACL trumps all
(except in very exceptional circumstances), where as in the ntvfs file
server, the NT ACL trumps all, overriding an incorrect POSIX ACL.
I know how to call the code to set the POSIX ACL, I just need to sort
out some remaining details and implement it. It remains one of my
high-priority TODO items.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list