[Samba] Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Michal Hajek Hajek67 at gmail.com
Mon Dec 16 04:00:24 MST 2013 

For clarity: By ACL I mean LINUX ACLs (seftacl, getfacl), NOT anything set
from Windows clients.

On Mon, Dec 16, 2013 at 11:32 AM, Rowland Penny <rowlandpenny at googlemail.com
> wrote:

> On 09/12/13 08:39, Michal Hajek wrote:
>
>> OK, I will answer myself to myself.
>>
>> Its is because samba3 capabilities is NOT subset of samba4 ones. Samba4
>> seems not to bother with Linux ACL at all (or maybe only in some magic
>> way,
>> which I did not discovered in a week of searching)!  When I compiled and
>> run v3.6, everything works as expected at first try.
>>
> Do you have ACL's turned on for the partions that hold the shares?
>
>
Do you mean on the Linux FS? Yes, of course, as you can see in my first
mail (ACL is on and it works both directly on Linux FS and Samba v3 shares).
If you mean "explicitly in the share section of your smb.conf" then no. I
do not know how to do that. I had spent nice few hours trying to configure
that. (And I must say Samba documentation really sucks.)


>
>
>> So for all wondering which version to choose when upgrading to v4 from v3
>> (with no need of AD ) - if you use -or plan using- linux ACL, your ONLY
>> ONE
>> choice is v3.
>>
>> I can not get that such insidious v4 behaviour is not clearly stated on
>> samba pages.
>>
>> Michal
>>
>>  Yes you are right Samba4 does work differently from S3 when running in
> AD mode, it runs like a windows server, but you can run Samba4 just like S3
> and if that is all you require, then I suggest that this is what you do. S3
> is in security fixes mode now and will be discontinued sometime in August
> 2014 (approx).
>
>
V 4.1.0 compiled, started, ACL on shares not working.
V 3.6.22 compiled, started, ACL on shares working (the same smb.conf).

How can I "run Samba4 just like S3"? It is possible I am missing some
additional v4 parameter/setting, but I did not find which one.

Thanks,
                   Michal



> Rowland
>
>
>
>> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com> wrote:
>>
>>  Hi.
>>>
>>> samba 4.1.1.. User has unix rights for writing, but samba denies write
>>> access to him.
>>>
>>> On samba server:
>>> amistest at samba:~$ id
>>> uid=6603(amistest) gid=20(users-nis)
>>> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),
>>> 2126(poj),2133(hto),20000(users)
>>>
>>> -> user amistest is in "poj" group
>>>
>>> amistest at samba:~$ ls -ld ACLTEST
>>> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
>>> amistest at samba:~$ getfacl ACLTEST/
>>> # file: ACLTEST
>>> # owner: hrubos
>>> # group: vema
>>> user::rwx
>>> group::rwx
>>> group:poj:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>> -> group poj can write in ACLTEST directory
>>>
>>> amistest at samba:~$ touch ACLTEST/test
>>> amistest at samba:~$ ls -l ACLTEST
>>> total 4
>>> -rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
>>> -rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
>>> amistest at samba:~$
>>>
>>> -> user amistest can write in ACLTEST directory.
>>>
>>> On PC, amistest logged into domain (sorry, it is in Czech):
>>>
>>> S:\>dir ACLTEST
>>>
>>>   Svazek v jednotce S je amistest.
>>>   Sériové číslo svazku je EE7A-B776.
>>>
>>>   Výpis adresáře S:\ACLTEST
>>>
>>> 27.11.2013  11:03    <DIR>          .
>>> 04.11.2013  09:52    <DIR>          ..
>>> 27.11.2013  10:54                 0 POKUS
>>> 27.11.2013  11:35                 0 test
>>>                 2 souborů,              0 bajtů
>>>             Adresářů:     2,   Volných bajtů:    200 429 568
>>>
>>> -> user amistest sees ACLTEST directory
>>>
>>>
>>> S:\>net group /domain poj
>>> Požadavek bude zpracován na primárním řadiči domény NIS.
>>>
>>> Název skupiny     poj
>>> Komentář
>>>
>>> Členové
>>>
>>> -----------------------------------------------------------------------
>>> amistest             .....
>>>
>>> Příkaz byl úspěšně dokončen.
>>>
>>> -> user amistest in in "poj" group (seen from pc)
>>>
>>>
>>> S:\>mkdir ACLTEST\testdir
>>> Přístup byl odepřen.
>>>
>>> -> user amistest can NOT write into the directory.
>>>
>>> Homes section of smb.conf:
>>>
>>> [homes]
>>>          comment = Home Directories
>>>          path = /home/%u
>>>          read only = No
>>>          create mask = 0700
>>>          directory mask = 0700
>>>          inherit acls = Yes
>>>          browseable = No
>>>          root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>>>
>>> The same configuration worked in samba 3.0.11.
>>>
>>> The questions are:
>>> - how to check that samba 4.1.1 was compiled with acl support (I know it
>>> is default, but...)?
>>> - which parameter for samba 4.1.1 am I missing?
>>>
>>> Thanks, Michal
>>>
>>>
>>>
>>>
>>>
>>>
>

More information about the samba mailing list