[Samba] Linux fs ACL ignored for Samba4 share in Windows?

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 10 03:37:53 MDT 2015 

On 10/03/15 07:16, Mgr. Peter Tuharsky wrote:
> Hm, it is quite large. I will snip all comments out and all shares that
> are not interesting
>
> smb.conf:
>
> [global]
>
>     workgroup = ldap1.sk
>     server string = server %L
>     wins support = no
>     dns proxy = no
>     netbios aliases = datastore dokumenty iss pravo prenos matriky
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     syslog = 0
>     panic action = /usr/share/samba/panic-action %d
>     log level = 2
>     security = domain
>     encrypt passwords = true
>     passdb backend = tdbsam
>     obey pam restrictions = no
>     unix password sync = no
>     map to guest = bad user
>     domain logons = no
>     domain master = auto
>     local master = no
>     usershare allow guests = no
>
>
> include = /etc/samba/smb-global.conf
> include = /etc/samba/smb-datastore.conf
>
>
> smb-global.conf:
> [global]
>
>      dos charset = 852
>      unix charset = UTF8
>      dos filetimes = yes
>      browseable = no
>      guest ok = no
>      public = no
>      writable = yes
>      unix extensions = no
>      follow symlinks = yes
>
> smb-datastore.conf:
>
> [iss_num]
>      path = /mnt/data_raid/iss_num
>      comment = Projekt ISS_NUM
>      locking = yes
>      default case = lower
>      preserve case = no
>
> Dňa 09.03.2015 o 10:49 Rowland Penny napísal(a):
>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote:
>>> Hallo,
>>>
>>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba
>>> 4.1.7 fileserver, a member of the domain, as a first step of full
>>> migration to Samba 4.
>>>
>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux ext4
>>> fs has 777 ACLs for the file. Why does it look like in Windows (both XP
>>> and 2k8r2) that "Everyone" has not write permission?
>>>
>>> Sincerely
>>> Peter
>>>
>> Hi, any chance you can post the smb.conf from the samba 4.1.7
>> fileserver ?
>>
>> Rowland
>>

OK, after I removed the default settings, I ended up with this:

[global]
    workgroup = ldap1.sk
    server string = server %L
    dns proxy = no
    netbios aliases = datastore dokumenty iss pravo prenos matriky
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    log level = 2
    security = domain
    map to guest = bad user
    local master = no
    dos charset = 852
    browseable = no
    writable = yes
    unix extensions = no

[iss_num]
     path = /mnt/data_raid/iss_num
     comment = Projekt ISS_NUM
     locking = yes
     preserve case = no

Everything looks ok, provided the machine has been joined to the domain. 
I personally wouldn't use a dot in the workgroup name, but I don't think 
this is your problem. What I think is happening, is that you are mixing 
up Unix and windows acls, what does 'ls -la /mnt/data_raid/iss_num' 
show, is there a '+' sign at the end of the acl ? i.e. is it 'rwxrwxrwx' 
or 'rwxrwxrwx+'

Rowland

More information about the samba mailing list