[Samba] Linux fs ACL ignored for Samba4 share in Windows?

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 10 04:23:36 MDT 2015 

On 10/03/15 10:01, Rowland Penny wrote:
> On 10/03/15 09:51, Mgr. Peter Tuharsky wrote:
>> This command lists all directories in iss_num. However the . (iss_num
>> itself) has drwxrwxr-x
>>
>> Now for the incriminating file example that shows abnormal ACL in
>> Windows: the file resides in iss_num/am/uz and has -rwxrwxrwx
>>
>> So there is no + in listing for share directory nor for files in the
>> directory structure.
>>
>> Peter
>>
>>
>> Dňa 10.03.2015 o 10:37 Rowland Penny napísal(a):
>>> On 10/03/15 07:16, Mgr. Peter Tuharsky wrote:
>>>> Hm, it is quite large. I will snip all comments out and all shares 
>>>> that
>>>> are not interesting
>>>>
>>>> smb.conf:
>>>>
>>>> [global]
>>>>
>>>>      workgroup = ldap1.sk
>>>>      server string = server %L
>>>>      wins support = no
>>>>      dns proxy = no
>>>>      netbios aliases = datastore dokumenty iss pravo prenos matriky
>>>>      log file = /var/log/samba/log.%m
>>>>      max log size = 1000
>>>>      syslog = 0
>>>>      panic action = /usr/share/samba/panic-action %d
>>>>      log level = 2
>>>>      security = domain
>>>>      encrypt passwords = true
>>>>      passdb backend = tdbsam
>>>>      obey pam restrictions = no
>>>>      unix password sync = no
>>>>      map to guest = bad user
>>>>      domain logons = no
>>>>      domain master = auto
>>>>      local master = no
>>>>      usershare allow guests = no
>>>>
>>>>
>>>> include = /etc/samba/smb-global.conf
>>>> include = /etc/samba/smb-datastore.conf
>>>>
>>>>
>>>> smb-global.conf:
>>>> [global]
>>>>
>>>>       dos charset = 852
>>>>       unix charset = UTF8
>>>>       dos filetimes = yes
>>>>       browseable = no
>>>>       guest ok = no
>>>>       public = no
>>>>       writable = yes
>>>>       unix extensions = no
>>>>       follow symlinks = yes
>>>>
>>>> smb-datastore.conf:
>>>>
>>>> [iss_num]
>>>>       path = /mnt/data_raid/iss_num
>>>>       comment = Projekt ISS_NUM
>>>>       locking = yes
>>>>       default case = lower
>>>>       preserve case = no
>>>>
>>>> Dňa 09.03.2015 o 10:49 Rowland Penny napísal(a):
>>>>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote:
>>>>>> Hallo,
>>>>>>
>>>>>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba
>>>>>> 4.1.7 fileserver, a member of the domain, as a first step of full
>>>>>> migration to Samba 4.
>>>>>>
>>>>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux
>>>>>> ext4
>>>>>> fs has 777 ACLs for the file. Why does it look like in Windows
>>>>>> (both XP
>>>>>> and 2k8r2) that "Everyone" has not write permission?
>>>>>>
>>>>>> Sincerely
>>>>>> Peter
>>>>>>
>>>>> Hi, any chance you can post the smb.conf from the samba 4.1.7
>>>>> fileserver ?
>>>>>
>>>>> Rowland
>>>>>
>>> OK, after I removed the default settings, I ended up with this:
>>>
>>> [global]
>>>     workgroup = ldap1.sk
>>>     server string = server %L
>>>     dns proxy = no
>>>     netbios aliases = datastore dokumenty iss pravo prenos matriky
>>>     log file = /var/log/samba/log.%m
>>>     max log size = 1000
>>>     syslog = 0
>>>     panic action = /usr/share/samba/panic-action %d
>>>     log level = 2
>>>     security = domain
>>>     map to guest = bad user
>>>     local master = no
>>>     dos charset = 852
>>>     browseable = no
>>>     writable = yes
>>>     unix extensions = no
>>>
>>> [iss_num]
>>>      path = /mnt/data_raid/iss_num
>>>      comment = Projekt ISS_NUM
>>>      locking = yes
>>>      preserve case = no
>>>
>>> Everything looks ok, provided the machine has been joined to the
>>> domain. I personally wouldn't use a dot in the workgroup name, but I
>>> don't think this is your problem. What I think is happening, is that
>>> you are mixing up Unix and windows acls, what does 'ls -la
>>> /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the
>>> acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+'
>>>
>>> Rowland
>>>
>
> OK, this means that you are mixing up Unix & windows acls, if there 
> was a '+' sign, this would mean that Unix (and samba) was using 
> windows ACLs. You could try and give 'Everyone' read access from 
> windows and then look again from unix with 'ls -la', if you now have 
> the '+' then good. If not, install the 'acl' & 'attr' packages and try 
> again, once you get the '+' sign, you can then look at the ACLs with 
> 'getfacl /mnt/data_raid/iss_num'
>
> Rowland

Hi again, forgot to say that you will probably need to add this to the 
global part of your smb.conf:

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

Rowland

More information about the samba mailing list