[Samba] Re: Request for ACL experiences

Philipp Luttenberger luttenberger at cnsystems.at
Thu Nov 13 17:02:34 GMT 2003 

Hidiho!

A little bit late...

> I'm having trouble with ACL's and wonder how many others are too. I see
> conflicting answers and comments about different aspects of ACL's from
> many
> prople on the list. I was wondering if ANYONE is successfully using ACL's
> with Samba 3.0 or above.

Yes, we use ACLs on our Debian based file server in our Win2k Active Directory 
Domain.

> Was your Samba server configured as the DC?

No, it's only a file server. The DC is running a Win2k Advanced Server with 
SP4

> What client OS were you setting ACL's on the Samba Share with? (Win2000,
> XP)

Win2k, Linux

> What service pack (SP4 on Win2000???)

SP2, SP3 and SP4 on Win2k

> Did you have to have the ACL kernel patch?

We used the XFS kernel patch.

> Did you need "nt acl support = yes" in each share definition?

No

> How did you setup your shares? (Working share Examples are good)

[software]
    comment = Software
    path = /mnt/software
    writable = yes
    guest = no

> Did you have to use the "server Tools" downloaded from microsoft or could
> you
> simply right click on a file/folder and change the security ACL's?

We tested the "server Tools" but they didn't work the way we expected. 
Explorer was also tested but meanwhile we don't use it anymore because it 
takes too much time. Now we prefer setfacl because we can write scripts and 
it's really fast.

> How are you verifying the ACL's actually work? Did you fully test any ACL
> you
> set through Windows by actually trying to make a user access a file to see
>
> that his access matched the ACL you set.

Yes, I have to test every ACL. First I verify by getfacl then users should 
test the ACLs.

> What didn't work with ACL's that you thought should?

The "Trace folder/execute files" didn't work the way I expected. It takes two 
steps to make them work (a klick on the "List folder"-permission also 
aktivates the read-permission. You have to change this by hand in the 
advanced-section).
Nested groups still don't work.
We have a lot of troubles with the group mapping. Sometimes user aren't mapped 
in groups - it makes no difference if the group is a new created or existing 
one (we already filled a bug report). 

> Are you compareing the windows ACL's to the output of getfacl?

Yes

> Could you use ACL's to add users to Samba printers?

I don't know - we never tried.

> Did you have to do any setfacl commands in Linux?

Yes, because we had some "others"-permissions which shouldn't be there.

> Did you have to run winbind?

Yes

> Did you have to do any "net groupmap" commands to make ACL's work?
>
> I.E. net groupmap modify ntgroup="Domain Admins" unixgroup=root

No

> Were there any commands/configurations you had to use to make ACL's work
> that
> were not covered in the 3.0 HowTo?

No.

> If you see any missing questions that you think
> might be useful to using ACL's, please add them!

How about some examples in the HowTos? You have to go to acl.bestbits.at to 
get some real examples.
It would be nice to have a overview which win2k-permissions works and which 
not (in a spreadsheet). Maybe with two columns: the first shows the 
(advanced) windows permission and in the second column there just stands a 
"w" (yeah, it "works"), a "dw" (sorry, but it "doesn't work") or a "a" (yes 
it works, but maybe not the way you'll expect and you'll need a "workAround")

hth

   Phil

More information about the samba mailing list