[Samba] Behavior of cifsacl

Jonathan Heese jheese at inetu.net
Tue Mar 25 10:59:59 MDT 2014


Hello all,

I am looking to implement winbind and samba-client (mount.cifs, actually) on a RHEL6 machine with the following properties:


1.       Users will log in to the RHEL6 box using Active Directory (2008 R2) credentials (via winbind)

2.       There will be a global (i.e. not mounted on a per-user basis) CIFS mount at /client_data which points to a CIFS share on a Windows Server 2012 R2 file server.

3.       Users who log in to the RHEL6 box as their AD users will be granted the appropriate permissions on the files/directories under /client_data via CIFS ACLs applied from the Windows server.

I was easily (relatively speaking) able to perform the first two above with the standard samba-* packages provided by Redhat, but #3 has proven to be an elusive beast.

I read that Samba4 offered support for full CIFS ACL compliance, so I tried removing my samba-* packages and installing samba4-* packages (specifically 4.0.0-60).  I had a lot of problems getting authentication to pass through properly ("NT_STATUS_INVALID_PARAMETER_MIX"), so I tried quickly upgrading to 4.1.6 (from some RPMs I found on Glusterfs's site of all places), and voila! She authenticates!

But, sadly, I realized at that point (because my cifs mounts failed) that the samba4-* packages don't provide cifs.mount...  So I grabbed a tarball of cifs-utils 6.3, installed the deps for building the cifsacl stuff, built and installed it.  Now my shares mount up.

With some quick-n-dirty testing, though, it doesn't seem like groups added to the Windows security ACL are being respected on the Linux side.

Am I asking too much, or is this something that can actually be done?  If it is actually possible, what components are necessary for this to work (i.e. what might I be missing?)?

Any and all log files and conf files will be provided upon request.  Thanks!

Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net<https://www.inetu.net/>
** This message contains confidential information, which also may be privileged, and is intended only for the person(s) addressed above. Any unauthorized use, distribution, copying or disclosure of confidential and/or privileged information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately via reply e-mail. **



More information about the samba mailing list