[Samba] Fwd: Samba4 - ACL not applied/followed (worked in samba 3.0.11)
Rowland Penny
rowlandpenny at googlemail.com
Mon Dec 16 04:46:53 MST 2013
On 16/12/13 11:23, Michal Hajek wrote:
> I start smbd and nmbd (and no winbind), so I expect "v3" behaviour.
> Including ACL. Am I right? But ACL are not applied on shares. Any new
> parameters for v4 needed?
>
> Michal
>
>
> On Mon, Dec 16, 2013 at 12:13 PM, Rowland Penny <rowlandpenny at googlemail.com
>> wrote:
>> On 16/12/13 11:00, Michal Hajek wrote:
>>
>> For clarity: By ACL I mean LINUX ACLs (seftacl, getfacl), NOT anything
>> set from Windows clients.
>>
>> On Mon, Dec 16, 2013 at 11:32 AM, Rowland Penny <
>> rowlandpenny at googlemail.com> wrote:
>>
>>> On 09/12/13 08:39, Michal Hajek wrote:
>>>
>>>> OK, I will answer myself to myself.
>>>>
>>>> Its is because samba3 capabilities is NOT subset of samba4 ones. Samba4
>>>> seems not to bother with Linux ACL at all (or maybe only in some magic
>>>> way,
>>>> which I did not discovered in a week of searching)! When I compiled and
>>>> run v3.6, everything works as expected at first try.
>>>>
>>> Do you have ACL's turned on for the partions that hold the shares?
>>>
>>>
>> Do you mean on the Linux FS? Yes, of course, as you can see in my first
>> mail (ACL is on and it works both directly on Linux FS and Samba v3 shares).
>> If you mean "explicitly in the share section of your smb.conf" then no.
>> I do not know how to do that. I had spent nice few hours trying to
>> configure that. (And I must say Samba documentation really sucks.)
>>
>>
>>>
>>>> So for all wondering which version to choose when upgrading to v4 from v3
>>>> (with no need of AD ) - if you use -or plan using- linux ACL, your ONLY
>>>> ONE
>>>> choice is v3.
>>>>
>>>> I can not get that such insidious v4 behaviour is not clearly stated on
>>>> samba pages.
>>>>
>>>> Michal
>>>>
>>>> Yes you are right Samba4 does work differently from S3 when running in
>>> AD mode, it runs like a windows server, but you can run Samba4 just like S3
>>> and if that is all you require, then I suggest that this is what you do. S3
>>> is in security fixes mode now and will be discontinued sometime in August
>>> 2014 (approx).
>>>
>>>
>> V 4.1.0 compiled, started, ACL on shares not working.
>> V 3.6.22 compiled, started, ACL on shares working (the same smb.conf).
>>
>> How can I "run Samba4 just like S3"? It is possible I am missing some
>> additional v4 parameter/setting, but I did not find which one.
>>
>> Thanks,
>> Michal
>>
>>
>>
>>> Rowland
>>>
>>>
>>>
>>>> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek <Hajek67 at gmail.com>
>>>> wrote:
>>>>
>>>> Hi.
>>>>> samba 4.1.1.. User has unix rights for writing, but samba denies write
>>>>> access to him.
>>>>>
>>>>> On samba server:
>>>>> amistest at samba:~$ id
>>>>> uid=6603(amistest) gid=20(users-nis)
>>>>>
>>>>> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
>>>>>
>>>>> -> user amistest is in "poj" group
>>>>>
>>>>> amistest at samba:~$ ls -ld ACLTEST
>>>>> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
>>>>> amistest at samba:~$ getfacl ACLTEST/
>>>>> # file: ACLTEST
>>>>> # owner: hrubos
>>>>> # group: vema
>>>>> user::rwx
>>>>> group::rwx
>>>>> group:poj:rwx
>>>>> mask::rwx
>>>>> other::r-x
>>>>>
>>>>> -> group poj can write in ACLTEST directory
>>>>>
>>>>> amistest at samba:~$ touch ACLTEST/test
>>>>> amistest at samba:~$ ls -l ACLTEST
>>>>> total 4
>>>>> -rw-rwxr--+ 1 hrubos poj 0 Nov 27 10:54 POKUS
>>>>> -rw-r--r-- 1 amistest users-nis 0 Nov 27 11:35 test
>>>>> amistest at samba:~$
>>>>>
>>>>> -> user amistest can write in ACLTEST directory.
>>>>>
>>>>> On PC, amistest logged into domain (sorry, it is in Czech):
>>>>>
>>>>> S:\>dir ACLTEST
>>>>>
>>>>> Svazek v jednotce S je amistest.
>>>>> Sériové číslo svazku je EE7A-B776.
>>>>>
>>>>> Výpis adresáře S:\ACLTEST
>>>>>
>>>>> 27.11.2013 11:03 <DIR> .
>>>>> 04.11.2013 09:52 <DIR> ..
>>>>> 27.11.2013 10:54 0 POKUS
>>>>> 27.11.2013 11:35 0 test
>>>>> 2 souborů, 0 bajtů
>>>>> Adresářů: 2, Volných bajtů: 200 429 568
>>>>>
>>>>> -> user amistest sees ACLTEST directory
>>>>>
>>>>>
>>>>> S:\>net group /domain poj
>>>>> Požadavek bude zpracován na primárním řadiči domény NIS.
>>>>>
>>>>> Název skupiny poj
>>>>> Komentář
>>>>>
>>>>> Členové
>>>>>
>>>>> -----------------------------------------------------------------------
>>>>> amistest .....
>>>>>
>>>>> Příkaz byl úspěšně dokončen.
>>>>>
>>>>> -> user amistest in in "poj" group (seen from pc)
>>>>>
>>>>>
>>>>> S:\>mkdir ACLTEST\testdir
>>>>> Přístup byl odepřen.
>>>>>
>>>>> -> user amistest can NOT write into the directory.
>>>>>
>>>>> Homes section of smb.conf:
>>>>>
>>>>> [homes]
>>>>> comment = Home Directories
>>>>> path = /home/%u
>>>>> read only = No
>>>>> create mask = 0700
>>>>> directory mask = 0700
>>>>> inherit acls = Yes
>>>>> browseable = No
>>>>> root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'
>>>>>
>>>>> The same configuration worked in samba 3.0.11.
>>>>>
>>>>> The questions are:
>>>>> - how to check that samba 4.1.1 was compiled with acl support (I know it
>>>>> is default, but...)?
>>>>> - which parameter for samba 4.1.1 am I missing?
>>>>>
>>>>> Thanks, Michal
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>> When you provision S4 and then run it in AD mode, you start the samba
>> daemon, this in turn starts the smbd daemon, you should then consider it to
>> be a windows server and connect to it as if it was one.
>>
>> But you can set S4 just up like S3 and start the smbd & nmbd daemons (and
>> optionally the winbind daemon), it will then work just an S3 machine, so
>> you can set it up as an old style NT PDC, a standalone server or a
>> memberserver joined to an AD domain, in fact anything an S3 machine can do,
>> a S4 machine can do.
>>
>> If you do run S4 as an AD server, then connect to it as if it was a
>> windows server and you will not go far wrong.
>>
>> Rowland
>>
>>
Could you please post your (sanitized) smb.conf
Rowland
More information about the samba
mailing list