[Samba] Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Michal Hajek Hajek67 at gmail.com
Mon Dec 9 01:39:20 MST 2013 

OK, I will answer myself to myself.

Its is because samba3 capabilities is NOT subset of samba4 ones. Samba4
seems not to bother with Linux ACL at all (or maybe only in some magic way,
which I did not discovered in a week of searching)!  When I compiled and
run v3.6, everything works as expected at first try.

So for all wondering which version to choose when upgrading to v4 from v3
(with no need of AD ) - if you use -or plan using- linux ACL, your ONLY ONE
choice is v3.

I can not get that such insidious v4 behaviour is not clearly stated on
samba pages.

Michal



On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com> wrote:

> Hi.
>
> samba 4.1.1.. User has unix rights for writing, but samba denies write
> access to him.
>
> On samba server:
> amistest at samba:~$ id
> uid=6603(amistest) gid=20(users-nis)
> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
>
> -> user amistest is in "poj" group
>
> amistest at samba:~$ ls -ld ACLTEST
> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
> amistest at samba:~$ getfacl ACLTEST/
> # file: ACLTEST
> # owner: hrubos
> # group: vema
> user::rwx
> group::rwx
> group:poj:rwx
> mask::rwx
> other::r-x
>
> -> group poj can write in ACLTEST directory
>
> amistest at samba:~$ touch ACLTEST/test
> amistest at samba:~$ ls -l ACLTEST
> total 4
> -rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
> -rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
> amistest at samba:~$
>
> -> user amistest can write in ACLTEST directory.
>
> On PC, amistest logged into domain (sorry, it is in Czech):
>
> S:\>dir ACLTEST
>
>  Svazek v jednotce S je amistest.
>  Sériové číslo svazku je EE7A-B776.
>
>  Výpis adresáře S:\ACLTEST
>
> 27.11.2013  11:03    <DIR>          .
> 04.11.2013  09:52    <DIR>          ..
> 27.11.2013  10:54                 0 POKUS
> 27.11.2013  11:35                 0 test
>                2 souborů,              0 bajtů
>            Adresářů:     2,   Volných bajtů:    200 429 568
>
> -> user amistest sees ACLTEST directory
>
>
> S:\>net group /domain poj
> Požadavek bude zpracován na primárním řadiči domény NIS.
>
> Název skupiny     poj
> Komentář
>
> Členové
>
> -----------------------------------------------------------------------
> amistest             .....
>
> Příkaz byl úspěšně dokončen.
>
> -> user amistest in in "poj" group (seen from pc)
>
>
> S:\>mkdir ACLTEST\testdir
> Přístup byl odepřen.
>
> -> user amistest can NOT write into the directory.
>
> Homes section of smb.conf:
>
> [homes]
>         comment = Home Directories
>         path = /home/%u
>         read only = No
>         create mask = 0700
>         directory mask = 0700
>         inherit acls = Yes
>         browseable = No
>         root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>
> The same configuration worked in samba 3.0.11.
>
> The questions are:
> - how to check that samba 4.1.1 was compiled with acl support (I know it
> is default, but...)?
> - which parameter for samba 4.1.1 am I missing?
>
> Thanks, Michal
>
>
>
>
>

More information about the samba mailing list