[Samba] Behavior of cifsacl
jheese at inetu.net
Tue Mar 25 10:59:59 MDT 2014
I am looking to implement winbind and samba-client (mount.cifs, actually) on a RHEL6 machine with the following properties:
1. Users will log in to the RHEL6 box using Active Directory (2008 R2) credentials (via winbind)
2. There will be a global (i.e. not mounted on a per-user basis) CIFS mount at /client_data which points to a CIFS share on a Windows Server 2012 R2 file server.
3. Users who log in to the RHEL6 box as their AD users will be granted the appropriate permissions on the files/directories under /client_data via CIFS ACLs applied from the Windows server.
I was easily (relatively speaking) able to perform the first two above with the standard samba-* packages provided by Redhat, but #3 has proven to be an elusive beast.
I read that Samba4 offered support for full CIFS ACL compliance, so I tried removing my samba-* packages and installing samba4-* packages (specifically 4.0.0-60). I had a lot of problems getting authentication to pass through properly ("NT_STATUS_INVALID_PARAMETER_MIX"), so I tried quickly upgrading to 4.1.6 (from some RPMs I found on Glusterfs's site of all places), and voila! She authenticates!
But, sadly, I realized at that point (because my cifs mounts failed) that the samba4-* packages don't provide cifs.mount... So I grabbed a tarball of cifs-utils 6.3, installed the deps for building the cifsacl stuff, built and installed it. Now my shares mount up.
With some quick-n-dirty testing, though, it doesn't seem like groups added to the Windows security ACL are being respected on the Linux side.
Am I asking too much, or is this something that can actually be done? If it is actually possible, what components are necessary for this to work (i.e. what might I be missing?)?
Any and all log files and conf files will be provided upon request. Thanks!
INetU Managed Hosting
P: 610.266.7441 x 261
** This message contains confidential information, which also may be privileged, and is intended only for the person(s) addressed above. Any unauthorized use, distribution, copying or disclosure of confidential and/or privileged information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately via reply e-mail. **
More information about the samba