[Samba] Fwd: Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 16 04:46:53 MST 2013


On 16/12/13 11:23, Michal Hajek wrote:
> I start smbd and nmbd (and no winbind), so I expect "v3" behaviour.
> Including ACL. Am I right? But ACL are not applied on shares. Any new
> parameters for v4 needed?
>
> Michal
>
>
> On Mon, Dec 16, 2013 at 12:13 PM, Rowland Penny <rowlandpenny at googlemail.com
>> wrote:
>>   On 16/12/13 11:00, Michal Hajek wrote:
>>
>>   For clarity: By ACL I mean LINUX ACLs (seftacl, getfacl), NOT anything
>> set from Windows clients.
>>
>> On Mon, Dec 16, 2013 at 11:32 AM, Rowland Penny <
>> rowlandpenny at googlemail.com> wrote:
>>
>>> On 09/12/13 08:39, Michal Hajek wrote:
>>>
>>>> OK, I will answer myself to myself.
>>>>
>>>> Its is because samba3 capabilities is NOT subset of samba4 ones. Samba4
>>>> seems not to bother with Linux ACL at all (or maybe only in some magic
>>>> way,
>>>> which I did not discovered in a week of searching)!  When I compiled and
>>>> run v3.6, everything works as expected at first try.
>>>>
>>>   Do you have ACL's turned on for the partions that hold the shares?
>>>
>>>
>>   Do you mean on the Linux FS? Yes, of course, as you can see in my first
>> mail (ACL is on and it works both directly on Linux FS and Samba v3 shares).
>>   If you mean "explicitly in the share section of your smb.conf" then no.
>> I do not know how to do that. I had spent nice few hours trying to
>> configure that. (And I must say Samba documentation really sucks.)
>>
>>
>>>
>>>> So for all wondering which version to choose when upgrading to v4 from v3
>>>> (with no need of AD ) - if you use -or plan using- linux ACL, your ONLY
>>>> ONE
>>>> choice is v3.
>>>>
>>>> I can not get that such insidious v4 behaviour is not clearly stated on
>>>> samba pages.
>>>>
>>>> Michal
>>>>
>>>>   Yes you are right Samba4 does work differently from S3 when running in
>>> AD mode, it runs like a windows server, but you can run Samba4 just like S3
>>> and if that is all you require, then I suggest that this is what you do. S3
>>> is in security fixes mode now and will be discontinued sometime in August
>>> 2014 (approx).
>>>
>>>
>>   V 4.1.0 compiled, started, ACL on shares not working.
>>   V 3.6.22 compiled, started, ACL on shares working (the same smb.conf).
>>
>> How can I "run Samba4 just like S3"? It is possible I am missing some
>> additional v4 parameter/setting, but I did not find which one.
>>
>>   Thanks,
>>                      Michal
>>
>>
>>
>>>   Rowland
>>>
>>>
>>>
>>>> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com>
>>>> wrote:
>>>>
>>>>   Hi.
>>>>> samba 4.1.1.. User has unix rights for writing, but samba denies write
>>>>> access to him.
>>>>>
>>>>> On samba server:
>>>>> amistest at samba:~$ id
>>>>> uid=6603(amistest) gid=20(users-nis)
>>>>>
>>>>> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
>>>>>
>>>>> -> user amistest is in "poj" group
>>>>>
>>>>> amistest at samba:~$ ls -ld ACLTEST
>>>>> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
>>>>> amistest at samba:~$ getfacl ACLTEST/
>>>>> # file: ACLTEST
>>>>> # owner: hrubos
>>>>> # group: vema
>>>>> user::rwx
>>>>> group::rwx
>>>>> group:poj:rwx
>>>>> mask::rwx
>>>>> other::r-x
>>>>>
>>>>> -> group poj can write in ACLTEST directory
>>>>>
>>>>> amistest at samba:~$ touch ACLTEST/test
>>>>> amistest at samba:~$ ls -l ACLTEST
>>>>> total 4
>>>>> -rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
>>>>> -rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
>>>>> amistest at samba:~$
>>>>>
>>>>> -> user amistest can write in ACLTEST directory.
>>>>>
>>>>> On PC, amistest logged into domain (sorry, it is in Czech):
>>>>>
>>>>> S:\>dir ACLTEST
>>>>>
>>>>>    Svazek v jednotce S je amistest.
>>>>>    Sériové číslo svazku je EE7A-B776.
>>>>>
>>>>>    Výpis adresáře S:\ACLTEST
>>>>>
>>>>> 27.11.2013  11:03    <DIR>          .
>>>>> 04.11.2013  09:52    <DIR>          ..
>>>>> 27.11.2013  10:54                 0 POKUS
>>>>> 27.11.2013  11:35                 0 test
>>>>>                  2 souborů,              0 bajtů
>>>>>              Adresářů:     2,   Volných bajtů:    200 429 568
>>>>>
>>>>> -> user amistest sees ACLTEST directory
>>>>>
>>>>>
>>>>> S:\>net group /domain poj
>>>>> Požadavek bude zpracován na primárním řadiči domény NIS.
>>>>>
>>>>> Název skupiny     poj
>>>>> Komentář
>>>>>
>>>>> Členové
>>>>>
>>>>> -----------------------------------------------------------------------
>>>>> amistest             .....
>>>>>
>>>>> Příkaz byl úspěšně dokončen.
>>>>>
>>>>> -> user amistest in in "poj" group (seen from pc)
>>>>>
>>>>>
>>>>> S:\>mkdir ACLTEST\testdir
>>>>> Přístup byl odepřen.
>>>>>
>>>>> -> user amistest can NOT write into the directory.
>>>>>
>>>>> Homes section of smb.conf:
>>>>>
>>>>> [homes]
>>>>>           comment = Home Directories
>>>>>           path = /home/%u
>>>>>           read only = No
>>>>>           create mask = 0700
>>>>>           directory mask = 0700
>>>>>           inherit acls = Yes
>>>>>           browseable = No
>>>>>           root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>>>>>
>>>>> The same configuration worked in samba 3.0.11.
>>>>>
>>>>> The questions are:
>>>>> - how to check that samba 4.1.1 was compiled with acl support (I know it
>>>>> is default, but...)?
>>>>> - which parameter for samba 4.1.1 am I missing?
>>>>>
>>>>> Thanks, Michal
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>    When you provision S4 and then run it in AD mode, you start the samba
>> daemon, this in turn starts the smbd daemon, you should then consider it to
>> be a windows server and connect to it as if it was one.
>>
>> But you can set S4 just up like S3 and start the smbd & nmbd daemons (and
>> optionally the winbind daemon), it will then work just an S3 machine, so
>> you can set it up as an old style NT PDC, a standalone server or a
>> memberserver joined to an AD domain, in fact anything an S3 machine can do,
>> a S4 machine can do.
>>
>> If you do run S4 as an AD server, then connect to it as if it was a
>> windows server and you will not go far wrong.
>>
>> Rowland
>>
>>
Could you please post your (sanitized) smb.conf

Rowland



More information about the samba mailing list