[Samba] Fwd: Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Michal Hajek Hajek67 at gmail.com
Mon Dec 16 04:23:37 MST 2013 

I start smbd and nmbd (and no winbind), so I expect "v3" behaviour.
Including ACL. Am I right? But ACL are not applied on shares. Any new
parameters for v4 needed?

Michal


On Mon, Dec 16, 2013 at 12:13 PM, Rowland Penny <rowlandpenny at googlemail.com
> wrote:

>  On 16/12/13 11:00, Michal Hajek wrote:
>
>  For clarity: By ACL I mean LINUX ACLs (seftacl, getfacl), NOT anything
> set from Windows clients.
>
> On Mon, Dec 16, 2013 at 11:32 AM, Rowland Penny <
> rowlandpenny at googlemail.com> wrote:
>
>> On 09/12/13 08:39, Michal Hajek wrote:
>>
>>> OK, I will answer myself to myself.
>>>
>>> Its is because samba3 capabilities is NOT subset of samba4 ones. Samba4
>>> seems not to bother with Linux ACL at all (or maybe only in some magic
>>> way,
>>> which I did not discovered in a week of searching)!  When I compiled and
>>> run v3.6, everything works as expected at first try.
>>>
>>  Do you have ACL's turned on for the partions that hold the shares?
>>
>>
>  Do you mean on the Linux FS? Yes, of course, as you can see in my first
> mail (ACL is on and it works both directly on Linux FS and Samba v3 shares).
>  If you mean "explicitly in the share section of your smb.conf" then no.
> I do not know how to do that. I had spent nice few hours trying to
> configure that. (And I must say Samba documentation really sucks.)
>
>
>>
>>
>>> So for all wondering which version to choose when upgrading to v4 from v3
>>> (with no need of AD ) - if you use -or plan using- linux ACL, your ONLY
>>> ONE
>>> choice is v3.
>>>
>>> I can not get that such insidious v4 behaviour is not clearly stated on
>>> samba pages.
>>>
>>> Michal
>>>
>>>  Yes you are right Samba4 does work differently from S3 when running in
>> AD mode, it runs like a windows server, but you can run Samba4 just like S3
>> and if that is all you require, then I suggest that this is what you do. S3
>> is in security fixes mode now and will be discontinued sometime in August
>> 2014 (approx).
>>
>>
>  V 4.1.0 compiled, started, ACL on shares not working.
>  V 3.6.22 compiled, started, ACL on shares working (the same smb.conf).
>
> How can I "run Samba4 just like S3"? It is possible I am missing some
> additional v4 parameter/setting, but I did not find which one.
>
>  Thanks,
>                     Michal
>
>
>
>>  Rowland
>>
>>
>>
>>> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com>
>>> wrote:
>>>
>>>  Hi.
>>>>
>>>> samba 4.1.1.. User has unix rights for writing, but samba denies write
>>>> access to him.
>>>>
>>>> On samba server:
>>>> amistest at samba:~$ id
>>>> uid=6603(amistest) gid=20(users-nis)
>>>>
>>>> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
>>>>
>>>> -> user amistest is in "poj" group
>>>>
>>>> amistest at samba:~$ ls -ld ACLTEST
>>>> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
>>>> amistest at samba:~$ getfacl ACLTEST/
>>>> # file: ACLTEST
>>>> # owner: hrubos
>>>> # group: vema
>>>> user::rwx
>>>> group::rwx
>>>> group:poj:rwx
>>>> mask::rwx
>>>> other::r-x
>>>>
>>>> -> group poj can write in ACLTEST directory
>>>>
>>>> amistest at samba:~$ touch ACLTEST/test
>>>> amistest at samba:~$ ls -l ACLTEST
>>>> total 4
>>>> -rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
>>>> -rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
>>>> amistest at samba:~$
>>>>
>>>> -> user amistest can write in ACLTEST directory.
>>>>
>>>> On PC, amistest logged into domain (sorry, it is in Czech):
>>>>
>>>> S:\>dir ACLTEST
>>>>
>>>>   Svazek v jednotce S je amistest.
>>>>   Sériové číslo svazku je EE7A-B776.
>>>>
>>>>   Výpis adresáře S:\ACLTEST
>>>>
>>>> 27.11.2013  11:03    <DIR>          .
>>>> 04.11.2013  09:52    <DIR>          ..
>>>> 27.11.2013  10:54                 0 POKUS
>>>> 27.11.2013  11:35                 0 test
>>>>                 2 souborů,              0 bajtů
>>>>             Adresářů:     2,   Volných bajtů:    200 429 568
>>>>
>>>> -> user amistest sees ACLTEST directory
>>>>
>>>>
>>>> S:\>net group /domain poj
>>>> Požadavek bude zpracován na primárním řadiči domény NIS.
>>>>
>>>> Název skupiny     poj
>>>> Komentář
>>>>
>>>> Členové
>>>>
>>>> -----------------------------------------------------------------------
>>>> amistest             .....
>>>>
>>>> Příkaz byl úspěšně dokončen.
>>>>
>>>> -> user amistest in in "poj" group (seen from pc)
>>>>
>>>>
>>>> S:\>mkdir ACLTEST\testdir
>>>> Přístup byl odepřen.
>>>>
>>>> -> user amistest can NOT write into the directory.
>>>>
>>>> Homes section of smb.conf:
>>>>
>>>> [homes]
>>>>          comment = Home Directories
>>>>          path = /home/%u
>>>>          read only = No
>>>>          create mask = 0700
>>>>          directory mask = 0700
>>>>          inherit acls = Yes
>>>>          browseable = No
>>>>          root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>>>>
>>>> The same configuration worked in samba 3.0.11.
>>>>
>>>> The questions are:
>>>> - how to check that samba 4.1.1 was compiled with acl support (I know it
>>>> is default, but...)?
>>>> - which parameter for samba 4.1.1 am I missing?
>>>>
>>>> Thanks, Michal
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>   When you provision S4 and then run it in AD mode, you start the samba
> daemon, this in turn starts the smbd daemon, you should then consider it to
> be a windows server and connect to it as if it was one.
>
> But you can set S4 just up like S3 and start the smbd & nmbd daemons (and
> optionally the winbind daemon), it will then work just an S3 machine, so
> you can set it up as an old style NT PDC, a standalone server or a
> memberserver joined to an AD domain, in fact anything an S3 machine can do,
> a S4 machine can do.
>
> If you do run S4 as an AD server, then connect to it as if it was a
> windows server and you will not go far wrong.
>
> Rowland
>
>

More information about the samba mailing list