[Samba] Linux fs ACL ignored for Samba4 share in Windows?
Rowland Penny
rowlandpenny at googlemail.com
Tue Mar 10 04:23:36 MDT 2015
On 10/03/15 10:01, Rowland Penny wrote:
> On 10/03/15 09:51, Mgr. Peter Tuharsky wrote:
>> This command lists all directories in iss_num. However the . (iss_num
>> itself) has drwxrwxr-x
>>
>> Now for the incriminating file example that shows abnormal ACL in
>> Windows: the file resides in iss_num/am/uz and has -rwxrwxrwx
>>
>> So there is no + in listing for share directory nor for files in the
>> directory structure.
>>
>> Peter
>>
>>
>> Dňa 10.03.2015 o 10:37 Rowland Penny napísal(a):
>>> On 10/03/15 07:16, Mgr. Peter Tuharsky wrote:
>>>> Hm, it is quite large. I will snip all comments out and all shares
>>>> that
>>>> are not interesting
>>>>
>>>> smb.conf:
>>>>
>>>> [global]
>>>>
>>>> workgroup = ldap1.sk
>>>> server string = server %L
>>>> wins support = no
>>>> dns proxy = no
>>>> netbios aliases = datastore dokumenty iss pravo prenos matriky
>>>> log file = /var/log/samba/log.%m
>>>> max log size = 1000
>>>> syslog = 0
>>>> panic action = /usr/share/samba/panic-action %d
>>>> log level = 2
>>>> security = domain
>>>> encrypt passwords = true
>>>> passdb backend = tdbsam
>>>> obey pam restrictions = no
>>>> unix password sync = no
>>>> map to guest = bad user
>>>> domain logons = no
>>>> domain master = auto
>>>> local master = no
>>>> usershare allow guests = no
>>>>
>>>>
>>>> include = /etc/samba/smb-global.conf
>>>> include = /etc/samba/smb-datastore.conf
>>>>
>>>>
>>>> smb-global.conf:
>>>> [global]
>>>>
>>>> dos charset = 852
>>>> unix charset = UTF8
>>>> dos filetimes = yes
>>>> browseable = no
>>>> guest ok = no
>>>> public = no
>>>> writable = yes
>>>> unix extensions = no
>>>> follow symlinks = yes
>>>>
>>>> smb-datastore.conf:
>>>>
>>>> [iss_num]
>>>> path = /mnt/data_raid/iss_num
>>>> comment = Projekt ISS_NUM
>>>> locking = yes
>>>> default case = lower
>>>> preserve case = no
>>>>
>>>> Dňa 09.03.2015 o 10:49 Rowland Penny napísal(a):
>>>>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote:
>>>>>> Hallo,
>>>>>>
>>>>>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba
>>>>>> 4.1.7 fileserver, a member of the domain, as a first step of full
>>>>>> migration to Samba 4.
>>>>>>
>>>>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux
>>>>>> ext4
>>>>>> fs has 777 ACLs for the file. Why does it look like in Windows
>>>>>> (both XP
>>>>>> and 2k8r2) that "Everyone" has not write permission?
>>>>>>
>>>>>> Sincerely
>>>>>> Peter
>>>>>>
>>>>> Hi, any chance you can post the smb.conf from the samba 4.1.7
>>>>> fileserver ?
>>>>>
>>>>> Rowland
>>>>>
>>> OK, after I removed the default settings, I ended up with this:
>>>
>>> [global]
>>> workgroup = ldap1.sk
>>> server string = server %L
>>> dns proxy = no
>>> netbios aliases = datastore dokumenty iss pravo prenos matriky
>>> log file = /var/log/samba/log.%m
>>> max log size = 1000
>>> syslog = 0
>>> panic action = /usr/share/samba/panic-action %d
>>> log level = 2
>>> security = domain
>>> map to guest = bad user
>>> local master = no
>>> dos charset = 852
>>> browseable = no
>>> writable = yes
>>> unix extensions = no
>>>
>>> [iss_num]
>>> path = /mnt/data_raid/iss_num
>>> comment = Projekt ISS_NUM
>>> locking = yes
>>> preserve case = no
>>>
>>> Everything looks ok, provided the machine has been joined to the
>>> domain. I personally wouldn't use a dot in the workgroup name, but I
>>> don't think this is your problem. What I think is happening, is that
>>> you are mixing up Unix and windows acls, what does 'ls -la
>>> /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the
>>> acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+'
>>>
>>> Rowland
>>>
>
> OK, this means that you are mixing up Unix & windows acls, if there
> was a '+' sign, this would mean that Unix (and samba) was using
> windows ACLs. You could try and give 'Everyone' read access from
> windows and then look again from unix with 'ls -la', if you now have
> the '+' then good. If not, install the 'acl' & 'attr' packages and try
> again, once you get the '+' sign, you can then look at the ACLs with
> 'getfacl /mnt/data_raid/iss_num'
>
> Rowland
Hi again, forgot to say that you will probably need to add this to the
global part of your smb.conf:
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Rowland
More information about the samba
mailing list