[Samba] Linux fs ACL ignored for Samba4 share in Windows?
Rowland Penny
rowlandpenny at googlemail.com
Tue Mar 10 04:01:24 MDT 2015
On 10/03/15 09:51, Mgr. Peter Tuharsky wrote:
> This command lists all directories in iss_num. However the . (iss_num
> itself) has drwxrwxr-x
>
> Now for the incriminating file example that shows abnormal ACL in
> Windows: the file resides in iss_num/am/uz and has -rwxrwxrwx
>
> So there is no + in listing for share directory nor for files in the
> directory structure.
>
> Peter
>
>
> Dňa 10.03.2015 o 10:37 Rowland Penny napísal(a):
>> On 10/03/15 07:16, Mgr. Peter Tuharsky wrote:
>>> Hm, it is quite large. I will snip all comments out and all shares that
>>> are not interesting
>>>
>>> smb.conf:
>>>
>>> [global]
>>>
>>> workgroup = ldap1.sk
>>> server string = server %L
>>> wins support = no
>>> dns proxy = no
>>> netbios aliases = datastore dokumenty iss pravo prenos matriky
>>> log file = /var/log/samba/log.%m
>>> max log size = 1000
>>> syslog = 0
>>> panic action = /usr/share/samba/panic-action %d
>>> log level = 2
>>> security = domain
>>> encrypt passwords = true
>>> passdb backend = tdbsam
>>> obey pam restrictions = no
>>> unix password sync = no
>>> map to guest = bad user
>>> domain logons = no
>>> domain master = auto
>>> local master = no
>>> usershare allow guests = no
>>>
>>>
>>> include = /etc/samba/smb-global.conf
>>> include = /etc/samba/smb-datastore.conf
>>>
>>>
>>> smb-global.conf:
>>> [global]
>>>
>>> dos charset = 852
>>> unix charset = UTF8
>>> dos filetimes = yes
>>> browseable = no
>>> guest ok = no
>>> public = no
>>> writable = yes
>>> unix extensions = no
>>> follow symlinks = yes
>>>
>>> smb-datastore.conf:
>>>
>>> [iss_num]
>>> path = /mnt/data_raid/iss_num
>>> comment = Projekt ISS_NUM
>>> locking = yes
>>> default case = lower
>>> preserve case = no
>>>
>>> Dňa 09.03.2015 o 10:49 Rowland Penny napísal(a):
>>>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote:
>>>>> Hallo,
>>>>>
>>>>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba
>>>>> 4.1.7 fileserver, a member of the domain, as a first step of full
>>>>> migration to Samba 4.
>>>>>
>>>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux
>>>>> ext4
>>>>> fs has 777 ACLs for the file. Why does it look like in Windows
>>>>> (both XP
>>>>> and 2k8r2) that "Everyone" has not write permission?
>>>>>
>>>>> Sincerely
>>>>> Peter
>>>>>
>>>> Hi, any chance you can post the smb.conf from the samba 4.1.7
>>>> fileserver ?
>>>>
>>>> Rowland
>>>>
>> OK, after I removed the default settings, I ended up with this:
>>
>> [global]
>> workgroup = ldap1.sk
>> server string = server %L
>> dns proxy = no
>> netbios aliases = datastore dokumenty iss pravo prenos matriky
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>> log level = 2
>> security = domain
>> map to guest = bad user
>> local master = no
>> dos charset = 852
>> browseable = no
>> writable = yes
>> unix extensions = no
>>
>> [iss_num]
>> path = /mnt/data_raid/iss_num
>> comment = Projekt ISS_NUM
>> locking = yes
>> preserve case = no
>>
>> Everything looks ok, provided the machine has been joined to the
>> domain. I personally wouldn't use a dot in the workgroup name, but I
>> don't think this is your problem. What I think is happening, is that
>> you are mixing up Unix and windows acls, what does 'ls -la
>> /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the
>> acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+'
>>
>> Rowland
>>
OK, this means that you are mixing up Unix & windows acls, if there was
a '+' sign, this would mean that Unix (and samba) was using windows
ACLs. You could try and give 'Everyone' read access from windows and
then look again from unix with 'ls -la', if you now have the '+' then
good. If not, install the 'acl' & 'attr' packages and try again, once
you get the '+' sign, you can then look at the ACLs with 'getfacl
/mnt/data_raid/iss_num'
Rowland
More information about the samba
mailing list