[Samba] Solaris Extended ACLs samba-3.6 vs samba-4.1 differences
bernie at unimelb.edu.au
Thu Feb 20 16:53:10 MST 2014
In our situation, we have users home directories on a zfs filesystem which are available from both nfs and via samba. One of our requirements is that we have to prevent users on the nfs mounted systems from being able to perform a chmod on their own home directory that allows other users access to their home directories.
To this end we use ZFS ACLs such that we chown the user's home directory to root, then allow them the normal access to their directory via the ZFS ACLs, except we deny the "write_acl" part. The ACLs are pretty much the defaults that happen with a normal chmod except for the write_acl part.
It looks like this:
chown root username
chmod A- username
chmod og-rwx username
chmod A+user:username:write_acl:deny username
chmod A+user:username:list_directory/read_data/add_file/write_data/add_subdirectory/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/read_acl/write_owner/synchronize:allow username
chmod A+group@:read_xattr/read_attributes/read_acl/synchronize:allow username
chmod A+everyone@:read_xattr/read_attributes/read_acl/synchronize:allow username
This all works very well when using an NFS mounted filesystem, and works with samba-3.6.22.
However, with samba-4.1.4 users cannot access their home share - we get a permission error in this case.
Just wondering why this might be and if it's by design in samba-4.1 - maybe caused by the ownership of the user's home directory now being different?
We would much prefer to use the latest versions of samba as we want to continue on upgrading as samba is improved.
More information about the samba