[Samba] Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Mon Dec 16 03:32:56 MST 2013

On 09/12/13 08:39, Michal Hajek wrote:
> OK, I will answer myself to myself.
>
> Its is because samba3 capabilities is NOT subset of samba4 ones. Samba4
> seems not to bother with Linux ACL at all (or maybe only in some magic way,
> which I did not discovered in a week of searching)!  When I compiled and
> run v3.6, everything works as expected at first try.
Do you have ACL's turned on for the partions that hold the shares?

>
> So for all wondering which version to choose when upgrading to v4 from v3
> (with no need of AD ) - if you use -or plan using- linux ACL, your ONLY ONE
> choice is v3.
>
> I can not get that such insidious v4 behaviour is not clearly stated on
> samba pages.
>
> Michal
>
Yes you are right Samba4 does work differently from S3 when running in 
AD mode, it runs like a windows server, but you can run Samba4 just like 
S3 and if that is all you require, then I suggest that this is what you 
do. S3 is in security fixes mode now and will be discontinued sometime 
in August 2014 (approx).

Rowland

>
> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com> wrote:
>
>> Hi.
>>
>> samba 4.1.1.. User has unix rights for writing, but samba denies write
>> access to him.
>>
>> On samba server:
>> amistest at samba:~$ id
>> uid=6603(amistest) gid=20(users-nis)
>> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
>>
>> -> user amistest is in "poj" group
>>
>> amistest at samba:~$ ls -ld ACLTEST
>> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
>> amistest at samba:~$ getfacl ACLTEST/
>> # file: ACLTEST
>> # owner: hrubos
>> # group: vema
>> user::rwx
>> group::rwx
>> group:poj:rwx
>> mask::rwx
>> other::r-x
>>
>> -> group poj can write in ACLTEST directory
>>
>> amistest at samba:~$ touch ACLTEST/test
>> amistest at samba:~$ ls -l ACLTEST
>> total 4
>> -rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
>> -rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
>> amistest at samba:~$
>>
>> -> user amistest can write in ACLTEST directory.
>>
>> On PC, amistest logged into domain (sorry, it is in Czech):
>>
>> S:\>dir ACLTEST
>>
>>   Svazek v jednotce S je amistest.
>>   Sériové číslo svazku je EE7A-B776.
>>
>>   Výpis adresáře S:\ACLTEST
>>
>> 27.11.2013  11:03    <DIR>          .
>> 04.11.2013  09:52    <DIR>          ..
>> 27.11.2013  10:54                 0 POKUS
>> 27.11.2013  11:35                 0 test
>>                 2 souborů,              0 bajtů
>>             Adresářů:     2,   Volných bajtů:    200 429 568
>>
>> -> user amistest sees ACLTEST directory
>>
>>
>> S:\>net group /domain poj
>> Požadavek bude zpracován na primárním řadiči domény NIS.
>>
>> Název skupiny     poj
>> Komentář
>>
>> Členové
>>
>> -----------------------------------------------------------------------
>> amistest             .....
>>
>> Příkaz byl úspěšně dokončen.
>>
>> -> user amistest in in "poj" group (seen from pc)
>>
>>
>> S:\>mkdir ACLTEST\testdir
>> Přístup byl odepřen.
>>
>> -> user amistest can NOT write into the directory.
>>
>> Homes section of smb.conf:
>>
>> [homes]
>>          comment = Home Directories
>>          path = /home/%u
>>          read only = No
>>          create mask = 0700
>>          directory mask = 0700
>>          inherit acls = Yes
>>          browseable = No
>>          root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>>
>> The same configuration worked in samba 3.0.11.
>>
>> The questions are:
>> - how to check that samba 4.1.1 was compiled with acl support (I know it
>> is default, but...)?
>> - which parameter for samba 4.1.1 am I missing?
>>
>> Thanks, Michal
>>
>>
>>
>>
>>