[Samba] Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Michael Wood esiotrot at gmail.com
Sun Dec 15 22:16:01 MST 2013 

Perhaps you should log a bug for this.

-- 
Michael Wood
On 09 Dec 2013 10:39 AM, "Michal Hajek" <Hajek67 at gmail.com> wrote:

> OK, I will answer myself to myself.
>
> Its is because samba3 capabilities is NOT subset of samba4 ones. Samba4
> seems not to bother with Linux ACL at all (or maybe only in some magic way,
> which I did not discovered in a week of searching)!  When I compiled and
> run v3.6, everything works as expected at first try.
>
> So for all wondering which version to choose when upgrading to v4 from v3
> (with no need of AD ) - if you use -or plan using- linux ACL, your ONLY ONE
> choice is v3.
>
> I can not get that such insidious v4 behaviour is not clearly stated on
> samba pages.
>
> Michal
>
>
>
> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com> wrote:
>
> > Hi.
> >
> > samba 4.1.1.. User has unix rights for writing, but samba denies write
> > access to him.
> >
> > On samba server:
> > amistest at samba:~$ id
> > uid=6603(amistest) gid=20(users-nis)
> >
> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
> >
> > -> user amistest is in "poj" group
> >
> > amistest at samba:~$ ls -ld ACLTEST
> > drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
> > amistest at samba:~$ getfacl ACLTEST/
> > # file: ACLTEST
> > # owner: hrubos
> > # group: vema
> > user::rwx
> > group::rwx
> > group:poj:rwx
> > mask::rwx
> > other::r-x
> >
> > -> group poj can write in ACLTEST directory
> >
> > amistest at samba:~$ touch ACLTEST/test
> > amistest at samba:~$ ls -l ACLTEST
> > total 4
> > -rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
> > -rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
> > amistest at samba:~$
> >
> > -> user amistest can write in ACLTEST directory.
> >
> > On PC, amistest logged into domain (sorry, it is in Czech):
> >
> > S:\>dir ACLTEST
> >
> >  Svazek v jednotce S je amistest.
> >  Sériové číslo svazku je EE7A-B776.
> >
> >  Výpis adresáře S:\ACLTEST
> >
> > 27.11.2013  11:03    <DIR>          .
> > 04.11.2013  09:52    <DIR>          ..
> > 27.11.2013  10:54                 0 POKUS
> > 27.11.2013  11:35                 0 test
> >                2 souborů,              0 bajtů
> >            Adresářů:     2,   Volných bajtů:    200 429 568
> >
> > -> user amistest sees ACLTEST directory
> >
> >
> > S:\>net group /domain poj
> > Požadavek bude zpracován na primárním řadiči domény NIS.
> >
> > Název skupiny     poj
> > Komentář
> >
> > Členové
> >
> > -----------------------------------------------------------------------
> > amistest             .....
> >
> > Příkaz byl úspěšně dokončen.
> >
> > -> user amistest in in "poj" group (seen from pc)
> >
> >
> > S:\>mkdir ACLTEST\testdir
> > Přístup byl odepřen.
> >
> > -> user amistest can NOT write into the directory.
> >
> > Homes section of smb.conf:
> >
> > [homes]
> >         comment = Home Directories
> >         path = /home/%u
> >         read only = No
> >         create mask = 0700
> >         directory mask = 0700
> >         inherit acls = Yes
> >         browseable = No
> >         root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
> >
> > The same configuration worked in samba 3.0.11.
> >
> > The questions are:
> > - how to check that samba 4.1.1 was compiled with acl support (I know it
> > is default, but...)?
> > - which parameter for samba 4.1.1 am I missing?
> >
> > Thanks, Michal
> >
> >
> >
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list