[Samba] Fwd: Samba4 - ACL not applied/followed (worked in samba 3.0.11)
Rowland Penny
rowlandpenny at googlemail.com
Mon Dec 16 05:39:04 MST 2013
On 16/12/13 12:10, Michal Hajek wrote:
> Here it is (xxxxxxxed and without insignificant shares).
>
> # Global parameters
> [global]
> dos charset = CP852
> unix charset = ISO8859-2
> workgroup = NIS
> server string = UHN a.s. (%v on %h)
> passdb backend = ldapsam:ldapxxxxxxxxx
> log level = 0 passdb:3 auth:3 winbind:3
> syslog = 0
> log file = /var/log/samba/%m.log
> max log size = 50
> name resolve order = host bcast
> socket options = TCP_NODELAY,SO_KEEPALIVE
> add user script = /usr/sbin/useradd -d /dev/null -g users -s
> /bin/false -M %u
> add machine script = /usr/local/bin/AMnew '%u'
> logon script = smbprofile.bat
> logon path = \\%h\profiles\%U
> logon drive = S:
> domain logons = Yes
> os level = 35
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = xxxxxxxxxxx
> ldap group suffix = ou=groups
> ldap machine suffix = ou=machines
> ldap suffix = dc=nspuh,dc=cz
> ldap ssl = no
> ldap user suffix = ou=people
> panic action = /usr/share/samba/panic-action %d
> template homedir = /profiles/DEFAULT
> idmap config * :backend = tdb
> idmap config * :range =
> admin users =xxxxxxxxxxxxxxx
> root preexec = /usr/local/bin/RPE4 '%u' 'GLOBALS' '%m' '%a'
> follow symlinks = yes
> wide links = yes
> allow insecure wide links = yes
> ## default encrypt passwords = yes
> ## default obey pam restrictions = no
> ## ldapsam:trusted = yes ## nejede s 3.0.11
>
> [homes]
> comment = Home Directories
> path = /home/%u
> read only = No
> create mask = 0700
> directory mask = 0700
> inherit acls = Yes
> browseable = No
> root preexec = /usr/local/bin/RPE4 '%u' 'HOMESHARE' '%m' '%a'
>
>
> [profiles]
> comment = Profile Share
> path = /home/profiles
> read only = No
> directory mask = 0700
> profile acls = Yes
> browseable = No
> csc policy = disable
> root preexec = /usr/local/bin/RPE4 '%u' 'PROFILES' '%m' '%a'
>
> [NETLOGON]
> comment = Network Logon Service
> path = /home/netlogon
> write list = xxxxx
> guest ok = Yes
> browseable = No
>
>
>
>
> On Mon, Dec 16, 2013 at 12:46 PM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 16/12/13 11:23, Michal Hajek wrote:
>
> I start smbd and nmbd (and no winbind), so I expect "v3"
> behaviour.
> Including ACL. Am I right? But ACL are not applied on shares.
> Any new
> parameters for v4 needed?
>
> Michal
>
>
> On Mon, Dec 16, 2013 at 12:13 PM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>
>
> wrote:
> On 16/12/13 11:00, Michal Hajek wrote:
>
> For clarity: By ACL I mean LINUX ACLs (seftacl,
> getfacl), NOT anything
> set from Windows clients.
>
> On Mon, Dec 16, 2013 at 11:32 AM, Rowland Penny <
> rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 09/12/13 08:39, Michal Hajek wrote:
>
> OK, I will answer myself to myself.
>
> Its is because samba3 capabilities is NOT subset
> of samba4 ones. Samba4
> seems not to bother with Linux ACL at all (or
> maybe only in some magic
> way,
> which I did not discovered in a week of
> searching)! When I compiled and
> run v3.6, everything works as expected at first try.
>
> Do you have ACL's turned on for the partions that
> hold the shares?
>
>
> Do you mean on the Linux FS? Yes, of course, as you can
> see in my first
> mail (ACL is on and it works both directly on Linux FS and
> Samba v3 shares).
> If you mean "explicitly in the share section of your
> smb.conf" then no.
> I do not know how to do that. I had spent nice few hours
> trying to
> configure that. (And I must say Samba documentation really
> sucks.)
>
>
>
> So for all wondering which version to choose when
> upgrading to v4 from v3
> (with no need of AD ) - if you use -or plan using-
> linux ACL, your ONLY
> ONE
> choice is v3.
>
> I can not get that such insidious v4 behaviour is
> not clearly stated on
> samba pages.
>
> Michal
>
> Yes you are right Samba4 does work differently
> from S3 when running in
>
> AD mode, it runs like a windows server, but you can
> run Samba4 just like S3
> and if that is all you require, then I suggest that
> this is what you do. S3
> is in security fixes mode now and will be discontinued
> sometime in August
> 2014 (approx).
>
>
> V 4.1.0 compiled, started, ACL on shares not working.
> V 3.6.22 compiled, started, ACL on shares working (the
> same smb.conf).
>
> How can I "run Samba4 just like S3"? It is possible I am
> missing some
> additional v4 parameter/setting, but I did not find which one.
>
> Thanks,
> Michal
>
>
>
> Rowland
>
>
>
> On Wed, Nov 27, 2013 at 11:57 AM, Michal Hajek
> <Hajek67 at gmail.com <mailto:Hajek67 at gmail.com>>
> wrote:
>
> Hi.
>
> samba 4.1.1.. User has unix rights for
> writing, but samba denies write
> access to him.
>
> On samba server:
> amistest at samba:~$ id
> uid=6603(amistest) gid=20(users-nis)
>
> groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)
>
> -> user amistest is in "poj" group
>
> amistest at samba:~$ ls -ld ACLTEST
> drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05
> ACLTEST
> amistest at samba:~$ getfacl ACLTEST/
> # file: ACLTEST
> # owner: hrubos
> # group: vema
> user::rwx
> group::rwx
> group:poj:rwx
> mask::rwx
> other::r-x
>
> -> group poj can write in ACLTEST directory
>
> amistest at samba:~$ touch ACLTEST/test
> amistest at samba:~$ ls -l ACLTEST
> total 4
> -rw-rwxr--+ 1 hrubos poj 0 Nov 27
> 10:54 POKUS
> -rw-r--r-- 1 amistest users-nis 0 Nov 27
> 11:35 test
> amistest at samba:~$
>
> -> user amistest can write in ACLTEST directory.
>
> On PC, amistest logged into domain (sorry, it
> is in Czech):
>
> S:\>dir ACLTEST
>
> Svazek v jednotce S je amistest.
> Sériové číslo svazku je EE7A-B776.
>
> Výpis adresáře S:\ACLTEST
>
> 27.11.2013 11:03 <DIR> .
> 04.11.2013 09:52 <DIR> ..
> 27.11.2013 10:54 0 POKUS
> 27.11.2013 11:35 0 test
> 2 souborů, 0 bajtů
> Adresářů: 2, Volných bajtů:
> 200 429 568
>
> -> user amistest sees ACLTEST directory
>
>
> S:\>net group /domain poj
> Požadavek bude zpracován na primárním řadiči
> domény NIS.
>
> Název skupiny poj
> Komentář
>
> Členové
>
> -----------------------------------------------------------------------
> amistest .....
>
> Příkaz byl úspěšně dokončen.
>
> -> user amistest in in "poj" group (seen from pc)
>
>
> S:\>mkdir ACLTEST\testdir
> Přístup byl odepřen.
>
> -> user amistest can NOT write into the directory.
>
> Homes section of smb.conf:
>
> [homes]
> comment = Home Directories
> path = /home/%u
> read only = No
> create mask = 0700
> directory mask = 0700
> inherit acls = Yes
> browseable = No
> root preexec = /usr/local/bin/RPE
> '%u' 'HOMESHARE'
>
> The same configuration worked in samba 3.0.11.
>
> The questions are:
> - how to check that samba 4.1.1 was compiled
> with acl support (I know it
> is default, but...)?
> - which parameter for samba 4.1.1 am I missing?
>
> Thanks, Michal
>
>
>
>
>
>
> When you provision S4 and then run it in AD mode, you
> start the samba
> daemon, this in turn starts the smbd daemon, you should
> then consider it to
> be a windows server and connect to it as if it was one.
>
> But you can set S4 just up like S3 and start the smbd &
> nmbd daemons (and
> optionally the winbind daemon), it will then work just an
> S3 machine, so
> you can set it up as an old style NT PDC, a standalone
> server or a
> memberserver joined to an AD domain, in fact anything an
> S3 machine can do,
> a S4 machine can do.
>
> If you do run S4 as an AD server, then connect to it as if
> it was a
> windows server and you will not go far wrong.
>
> Rowland
>
>
> Could you please post your (sanitized) smb.conf
>
> Rowland
>
>
OK, this is what I used to have in [global] when I ran a PDC
###### ACL related #######
#extended attributes stored on EXT3 or XFS with user_xattr options
ea support = yes
#Users/groups who have write access to the file can modify
# the permissions (incl. ACL)
#Ownership of file/dir may also be changed
#Default: no (disable)
dos filemode = yes
# must set (map [hidden|archive|system|read only]) = no
# Enabled: store DOS attributes onto user.DOSATTRIB file
# file system must be mounted with user_xattr
# extended attributes must be compiled into the Linux kernel
store dos attributes = yes
#these depend on (create mask), however, refer to (store dos
attributes)
map hidden = no
map archive = no
map system = no
map read only = no
# map "inherit" and "protected" flags in Windows ACLs into extended
#attribute file called user.SAMBA_PAI
map acl inherit = yes
# Turn on unix extensions
unix extensions = yes
try it and see if it helps ;-)
Rowland
More information about the samba
mailing list