[Samba] Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 16 04:13:15 MST 2013


On 16/12/13 11:00, Michal Hajek wrote:
> For clarity: By ACL I mean LINUX ACLs (seftacl, getfacl), NOT anything 
> set from Windows clients.
>
> On Mon, Dec 16, 2013 at 11:32 AM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 09/12/13 08:39, Michal Hajek wrote:
>
>         OK, I will answer myself to myself.
>
>         Its is because samba3 capabilities is NOT subset of samba4
>         ones. Samba4
>         seems not to bother with Linux ACL at all (or maybe only in
>         some magic way,
>         which I did not discovered in a week of searching)!  When I
>         compiled and
>         run v3.6, everything works as expected at first try.
>
>     Do you have ACL's turned on for the partions that hold the shares?
>
>
> Do you mean on the Linux FS? Yes, of course, as you can see in my 
> first mail (ACL is on and it works both directly on Linux FS and Samba 
> v3 shares).
> If you mean "explicitly in the share section of your smb.conf" then 
> no. I do not know how to do that. I had spent nice few hours trying to 
> configure that. (And I must say Samba documentation really sucks.)
>
>
>
>         So for all wondering which version to choose when upgrading to
>         v4 from v3
>         (with no need of AD ) - if you use -or plan using- linux ACL,
>         your ONLY ONE
>         choice is v3.
>
>         I can not get that such insidious v4 behaviour is not clearly
>         stated on
>         samba pages.
>
>         Michal
>
>     Yes you are right Samba4 does work differently from S3 when
>     running in AD mode, it runs like a windows server, but you can run
>     Samba4 just like S3 and if that is all you require, then I suggest
>     that this is what you do. S3 is in security fixes mode now and
>     will be discontinued sometime in August 2014 (approx).
>
>
> V 4.1.0 compiled, started, ACL on shares not working.
> V 3.6.22 compiled, started, ACL on shares working (the same smb.conf).
>
> How can I "run Samba4 just like S3"? It is possible I am missing some 
> additional v4 parameter/setting, but I did not find which one.
>
> Thanks,
>                    Michal
>
>     Rowland
>
>
>
>         On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek
>         <Hajek67 at gmail.com <mailto:Hajek67 at gmail.com>> wrote:
>
>             Hi.
>
>             samba 4.1.1.. User has unix rights for writing, but samba
>             denies write
>             access to him.
>
>             On samba server:
>             amistest at samba:~$ id
>             uid=6603(amistest) gid=20(users-nis)
>             groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
>
>             -> user amistest is in "poj" group
>
>             amistest at samba:~$ ls -ld ACLTEST
>             drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
>             amistest at samba:~$ getfacl ACLTEST/
>             # file: ACLTEST
>             # owner: hrubos
>             # group: vema
>             user::rwx
>             group::rwx
>             group:poj:rwx
>             mask::rwx
>             other::r-x
>
>             -> group poj can write in ACLTEST directory
>
>             amistest at samba:~$ touch ACLTEST/test
>             amistest at samba:~$ ls -l ACLTEST
>             total 4
>             -rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
>             -rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
>             amistest at samba:~$
>
>             -> user amistest can write in ACLTEST directory.
>
>             On PC, amistest logged into domain (sorry, it is in Czech):
>
>             S:\>dir ACLTEST
>
>               Svazek v jednotce S je amistest.
>               Sériové číslo svazku je EE7A-B776.
>
>               Výpis adresáře S:\ACLTEST
>
>             27.11.2013  11:03    <DIR>          .
>             04.11.2013  09:52    <DIR>          ..
>             27.11.2013  10:54                 0 POKUS
>             27.11.2013  11:35                 0 test
>                             2 souborů,              0 bajtů
>                         Adresářů:     2,   Volných bajtů:  200 429 568
>
>             -> user amistest sees ACLTEST directory
>
>
>             S:\>net group /domain poj
>             Požadavek bude zpracován na primárním řadiči domény NIS.
>
>             Název skupiny     poj
>             Komentář
>
>             Členové
>
>             -----------------------------------------------------------------------
>             amistest             .....
>
>             Příkaz byl úspěšně dokončen.
>
>             -> user amistest in in "poj" group (seen from pc)
>
>
>             S:\>mkdir ACLTEST\testdir
>             Přístup byl odepřen.
>
>             -> user amistest can NOT write into the directory.
>
>             Homes section of smb.conf:
>
>             [homes]
>                      comment = Home Directories
>                      path = /home/%u
>                      read only = No
>                      create mask = 0700
>                      directory mask = 0700
>                      inherit acls = Yes
>                      browseable = No
>                      root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>
>             The same configuration worked in samba 3.0.11.
>
>             The questions are:
>             - how to check that samba 4.1.1 was compiled with acl
>             support (I know it
>             is default, but...)?
>             - which parameter for samba 4.1.1 am I missing?
>
>             Thanks, Michal
>
>
>
>
>
>
>
When you provision S4 and then run it in AD mode, you start the samba 
daemon, this in turn starts the smbd daemon, you should then consider it 
to be a windows server and connect to it as if it was one.

But you can set S4 just up like S3 and start the smbd & nmbd daemons 
(and optionally the winbind daemon), it will then work just an S3 
machine, so you can set it up as an old style NT PDC, a standalone 
server or a memberserver joined to an AD domain, in fact anything an S3 
machine can do, a S4 machine can do.

If you do run S4 as an AD server, then connect to it as if it was a 
windows server and you will not go far wrong.

Rowland



More information about the samba mailing list