[Samba] Re: Request for ACL experiences
Philipp Luttenberger
luttenberger at cnsystems.at
Thu Nov 13 17:02:34 GMT 2003
Hidiho!
A little bit late...
> I'm having trouble with ACL's and wonder how many others are too. I see
> conflicting answers and comments about different aspects of ACL's from
> many
> prople on the list. I was wondering if ANYONE is successfully using ACL's
> with Samba 3.0 or above.
Yes, we use ACLs on our Debian based file server in our Win2k Active Directory
Domain.
> Was your Samba server configured as the DC?
No, it's only a file server. The DC is running a Win2k Advanced Server with
SP4
> What client OS were you setting ACL's on the Samba Share with? (Win2000,
> XP)
Win2k, Linux
> What service pack (SP4 on Win2000???)
SP2, SP3 and SP4 on Win2k
> Did you have to have the ACL kernel patch?
We used the XFS kernel patch.
> Did you need "nt acl support = yes" in each share definition?
No
> How did you setup your shares? (Working share Examples are good)
[software]
comment = Software
path = /mnt/software
writable = yes
guest = no
> Did you have to use the "server Tools" downloaded from microsoft or could
> you
> simply right click on a file/folder and change the security ACL's?
We tested the "server Tools" but they didn't work the way we expected.
Explorer was also tested but meanwhile we don't use it anymore because it
takes too much time. Now we prefer setfacl because we can write scripts and
it's really fast.
> How are you verifying the ACL's actually work? Did you fully test any ACL
> you
> set through Windows by actually trying to make a user access a file to see
>
> that his access matched the ACL you set.
Yes, I have to test every ACL. First I verify by getfacl then users should
test the ACLs.
> What didn't work with ACL's that you thought should?
The "Trace folder/execute files" didn't work the way I expected. It takes two
steps to make them work (a klick on the "List folder"-permission also
aktivates the read-permission. You have to change this by hand in the
advanced-section).
Nested groups still don't work.
We have a lot of troubles with the group mapping. Sometimes user aren't mapped
in groups - it makes no difference if the group is a new created or existing
one (we already filled a bug report).
> Are you compareing the windows ACL's to the output of getfacl?
Yes
> Could you use ACL's to add users to Samba printers?
I don't know - we never tried.
> Did you have to do any setfacl commands in Linux?
Yes, because we had some "others"-permissions which shouldn't be there.
> Did you have to run winbind?
Yes
> Did you have to do any "net groupmap" commands to make ACL's work?
>
> I.E. net groupmap modify ntgroup="Domain Admins" unixgroup=root
No
> Were there any commands/configurations you had to use to make ACL's work
> that
> were not covered in the 3.0 HowTo?
No.
> If you see any missing questions that you think
> might be useful to using ACL's, please add them!
How about some examples in the HowTos? You have to go to acl.bestbits.at to
get some real examples.
It would be nice to have a overview which win2k-permissions works and which
not (in a spreadsheet). Maybe with two columns: the first shows the
(advanced) windows permission and in the second column there just stands a
"w" (yeah, it "works"), a "dw" (sorry, but it "doesn't work") or a "a" (yes
it works, but maybe not the way you'll expect and you'll need a "workAround")
hth
Phil
More information about the samba
mailing list