[Samba] Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Stéphane PURNELLE stephane.purnelle at corman.be
Mon Dec 16 03:51:49 MST 2013 

Hi,

Just some comments:

- "[homes] share" is a particular share, testing ACL with this share is 
not very good.
- "[homes] share" seems to be not recommended by samba (see: 
https://wiki.samba.org/index.php/Setting_up_a_home_share)
-  ACL work on share, I test a file server (samba 4.1.2) with a DC with 
samba4 too (samba 4.1.2).

Question(s)
- If you right-click on ACLTEST -> property -> Security, how windows see 
your ACL ? can you see the group "poj" with Full Control ?




-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 16/12/2013 11:32:56:

> De : Rowland Penny <rowlandpenny at googlemail.com>
> A : Michal Hajek <Hajek67 at gmail.com>, samba at lists.samba.org, 
> Date : 16/12/2013 11:33
> Objet : Re: [Samba] Samba4 - ACL not applied/followed (worked in samba 
3.0.11)
> Envoyé par : samba-bounces at lists.samba.org
> 
> On 09/12/13 08:39, Michal Hajek wrote:
> > OK, I will answer myself to myself.
> >
> > Its is because samba3 capabilities is NOT subset of samba4 ones. 
Samba4
> > seems not to bother with Linux ACL at all (or maybe only in some magic 
way,
> > which I did not discovered in a week of searching)!  When I compiled 
and
> > run v3.6, everything works as expected at first try.
> Do you have ACL's turned on for the partions that hold the shares?
> 
> >
> > So for all wondering which version to choose when upgrading to v4 from 
v3
> > (with no need of AD ) - if you use -or plan using- linux ACL, your 
ONLY ONE
> > choice is v3.
> >
> > I can not get that such insidious v4 behaviour is not clearly stated 
on
> > samba pages.
> >
> > Michal
> >
> Yes you are right Samba4 does work differently from S3 when running in 
> AD mode, it runs like a windows server, but you can run Samba4 just like 

> S3 and if that is all you require, then I suggest that this is what you 
> do. S3 is in security fixes mode now and will be discontinued sometime 
> in August 2014 (approx).
> 
> Rowland
> 
> >
> > On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com> 
wrote:
> >
> >> Hi.
> >>
> >> samba 4.1.1.. User has unix rights for writing, but samba denies 
write
> >> access to him.
> >>
> >> On samba server:
> >> amistest at samba:~$ id
> >> uid=6603(amistest) gid=20(users-nis)
> >> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),
> 2133(hto),20000(users)
> >>
> >> -> user amistest is in "poj" group
> >>
> >> amistest at samba:~$ ls -ld ACLTEST
> >> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
> >> amistest at samba:~$ getfacl ACLTEST/
> >> # file: ACLTEST
> >> # owner: hrubos
> >> # group: vema
> >> user::rwx
> >> group::rwx
> >> group:poj:rwx
> >> mask::rwx
> >> other::r-x
> >>
> >> -> group poj can write in ACLTEST directory
> >>
> >> amistest at samba:~$ touch ACLTEST/test
> >> amistest at samba:~$ ls -l ACLTEST
> >> total 4
> >> -rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
> >> -rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
> >> amistest at samba:~$
> >>
> >> -> user amistest can write in ACLTEST directory.
> >>
> >> On PC, amistest logged into domain (sorry, it is in Czech):
> >>
> >> S:\>dir ACLTEST
> >>
> >>   Svazek v jednotce S je amistest.
> >>   Sériové číslo svazku je EE7A-B776.
> >>
> >>   Výpis adresáře S:\ACLTEST
> >>
> >> 27.11.2013  11:03    <DIR>          .
> >> 04.11.2013  09:52    <DIR>          ..
> >> 27.11.2013  10:54                 0 POKUS
> >> 27.11.2013  11:35                 0 test
> >>                 2 souborů,              0 bajtů
> >>             Adresářů:     2,   Volných bajtů:    200 429 568
> >>
> >> -> user amistest sees ACLTEST directory
> >>
> >>
> >> S:\>net group /domain poj
> >> Požadavek bude zpracován na primárním řadiči domény NIS.
> >>
> >> Název skupiny     poj
> >> Komentář
> >>
> >> Členové
> >>
> >> 
-----------------------------------------------------------------------
> >> amistest             .....
> >>
> >> Příkaz byl úspěšně dokončen.
> >>
> >> -> user amistest in in "poj" group (seen from pc)
> >>
> >>
> >> S:\>mkdir ACLTEST\testdir
> >> Přístup byl odepřen.
> >>
> >> -> user amistest can NOT write into the directory.
> >>
> >> Homes section of smb.conf:
> >>
> >> [homes]
> >>          comment = Home Directories
> >>          path = /home/%u
> >>          read only = No
> >>          create mask = 0700
> >>          directory mask = 0700
> >>          inherit acls = Yes
> >>          browseable = No
> >>          root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
> >>
> >> The same configuration worked in samba 3.0.11.
> >>
> >> The questions are:
> >> - how to check that samba 4.1.1 was compiled with acl support (I know 
it
> >> is default, but...)?
> >> - which parameter for samba 4.1.1 am I missing?
> >>
> >> Thanks, Michal
> >>
> >>
> >>
> >>
> >>
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list