[Samba] Samba4 - ACL not applied/followed (worked in samba 3.0.11)
Rowland Penny
rowlandpenny at googlemail.com
Mon Dec 16 04:13:15 MST 2013
On 16/12/13 11:00, Michal Hajek wrote:
> For clarity: By ACL I mean LINUX ACLs (seftacl, getfacl), NOT anything
> set from Windows clients.
>
> On Mon, Dec 16, 2013 at 11:32 AM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 09/12/13 08:39, Michal Hajek wrote:
>
> OK, I will answer myself to myself.
>
> Its is because samba3 capabilities is NOT subset of samba4
> ones. Samba4
> seems not to bother with Linux ACL at all (or maybe only in
> some magic way,
> which I did not discovered in a week of searching)! When I
> compiled and
> run v3.6, everything works as expected at first try.
>
> Do you have ACL's turned on for the partions that hold the shares?
>
>
> Do you mean on the Linux FS? Yes, of course, as you can see in my
> first mail (ACL is on and it works both directly on Linux FS and Samba
> v3 shares).
> If you mean "explicitly in the share section of your smb.conf" then
> no. I do not know how to do that. I had spent nice few hours trying to
> configure that. (And I must say Samba documentation really sucks.)
>
>
>
> So for all wondering which version to choose when upgrading to
> v4 from v3
> (with no need of AD ) - if you use -or plan using- linux ACL,
> your ONLY ONE
> choice is v3.
>
> I can not get that such insidious v4 behaviour is not clearly
> stated on
> samba pages.
>
> Michal
>
> Yes you are right Samba4 does work differently from S3 when
> running in AD mode, it runs like a windows server, but you can run
> Samba4 just like S3 and if that is all you require, then I suggest
> that this is what you do. S3 is in security fixes mode now and
> will be discontinued sometime in August 2014 (approx).
>
>
> V 4.1.0 compiled, started, ACL on shares not working.
> V 3.6.22 compiled, started, ACL on shares working (the same smb.conf).
>
> How can I "run Samba4 just like S3"? It is possible I am missing some
> additional v4 parameter/setting, but I did not find which one.
>
> Thanks,
> Michal
>
> Rowland
>
>
>
> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek
> <Hajek67 at gmail.com <mailto:Hajek67 at gmail.com>> wrote:
>
> Hi.
>
> samba 4.1.1.. User has unix rights for writing, but samba
> denies write
> access to him.
>
> On samba server:
> amistest at samba:~$ id
> uid=6603(amistest) gid=20(users-nis)
> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
>
> -> user amistest is in "poj" group
>
> amistest at samba:~$ ls -ld ACLTEST
> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
> amistest at samba:~$ getfacl ACLTEST/
> # file: ACLTEST
> # owner: hrubos
> # group: vema
> user::rwx
> group::rwx
> group:poj:rwx
> mask::rwx
> other::r-x
>
> -> group poj can write in ACLTEST directory
>
> amistest at samba:~$ touch ACLTEST/test
> amistest at samba:~$ ls -l ACLTEST
> total 4
> -rw-rwxr--+ 1 hrubos poj 0 Nov 27 10:54 POKUS
> -rw-r--r-- 1 amistest users-nis 0 Nov 27 11:35 test
> amistest at samba:~$
>
> -> user amistest can write in ACLTEST directory.
>
> On PC, amistest logged into domain (sorry, it is in Czech):
>
> S:\>dir ACLTEST
>
> Svazek v jednotce S je amistest.
> Sériové číslo svazku je EE7A-B776.
>
> Výpis adresáře S:\ACLTEST
>
> 27.11.2013 11:03 <DIR> .
> 04.11.2013 09:52 <DIR> ..
> 27.11.2013 10:54 0 POKUS
> 27.11.2013 11:35 0 test
> 2 souborů, 0 bajtů
> Adresářů: 2, Volných bajtů: 200 429 568
>
> -> user amistest sees ACLTEST directory
>
>
> S:\>net group /domain poj
> Požadavek bude zpracován na primárním řadiči domény NIS.
>
> Název skupiny poj
> Komentář
>
> Členové
>
> -----------------------------------------------------------------------
> amistest .....
>
> Příkaz byl úspěšně dokončen.
>
> -> user amistest in in "poj" group (seen from pc)
>
>
> S:\>mkdir ACLTEST\testdir
> Přístup byl odepřen.
>
> -> user amistest can NOT write into the directory.
>
> Homes section of smb.conf:
>
> [homes]
> comment = Home Directories
> path = /home/%u
> read only = No
> create mask = 0700
> directory mask = 0700
> inherit acls = Yes
> browseable = No
> root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>
> The same configuration worked in samba 3.0.11.
>
> The questions are:
> - how to check that samba 4.1.1 was compiled with acl
> support (I know it
> is default, but...)?
> - which parameter for samba 4.1.1 am I missing?
>
> Thanks, Michal
>
>
>
>
>
>
>
When you provision S4 and then run it in AD mode, you start the samba
daemon, this in turn starts the smbd daemon, you should then consider it
to be a windows server and connect to it as if it was one.
But you can set S4 just up like S3 and start the smbd & nmbd daemons
(and optionally the winbind daemon), it will then work just an S3
machine, so you can set it up as an old style NT PDC, a standalone
server or a memberserver joined to an AD domain, in fact anything an S3
machine can do, a S4 machine can do.
If you do run S4 as an AD server, then connect to it as if it was a
windows server and you will not go far wrong.
Rowland
More information about the samba
mailing list