[Samba] Linux fs ACL ignored for Samba4 share in Windows?

Mgr. Peter Tuharsky tuharsky at misbb.sk
Tue Mar 10 07:17:29 MDT 2015 

Well does that mean that Samba needs Xattr for proper operation?
I assumed that rwx for "others" in Unix should be translated as
"Everyone read write" by Samba.


Dňa 10.03.2015 o 11:23 Rowland Penny napísal(a):
> On 10/03/15 10:01, Rowland Penny wrote:
>> On 10/03/15 09:51, Mgr. Peter Tuharsky wrote:
>>> This command lists all directories in iss_num. However the . (iss_num
>>> itself) has drwxrwxr-x
>>>
>>> Now for the incriminating file example that shows abnormal ACL in
>>> Windows: the file resides in iss_num/am/uz and has -rwxrwxrwx
>>>
>>> So there is no + in listing for share directory nor for files in the
>>> directory structure.
>>>
>>> Peter
>>>
>>>
>>> Dňa 10.03.2015 o 10:37 Rowland Penny napísal(a):
>>>> On 10/03/15 07:16, Mgr. Peter Tuharsky wrote:
>>>>> Hm, it is quite large. I will snip all comments out and all shares
>>>>> that
>>>>> are not interesting
>>>>>
>>>>> smb.conf:
>>>>>
>>>>> [global]
>>>>>
>>>>>      workgroup = ldap1.sk
>>>>>      server string = server %L
>>>>>      wins support = no
>>>>>      dns proxy = no
>>>>>      netbios aliases = datastore dokumenty iss pravo prenos matriky
>>>>>      log file = /var/log/samba/log.%m
>>>>>      max log size = 1000
>>>>>      syslog = 0
>>>>>      panic action = /usr/share/samba/panic-action %d
>>>>>      log level = 2
>>>>>      security = domain
>>>>>      encrypt passwords = true
>>>>>      passdb backend = tdbsam
>>>>>      obey pam restrictions = no
>>>>>      unix password sync = no
>>>>>      map to guest = bad user
>>>>>      domain logons = no
>>>>>      domain master = auto
>>>>>      local master = no
>>>>>      usershare allow guests = no
>>>>>
>>>>>
>>>>> include = /etc/samba/smb-global.conf
>>>>> include = /etc/samba/smb-datastore.conf
>>>>>
>>>>>
>>>>> smb-global.conf:
>>>>> [global]
>>>>>
>>>>>       dos charset = 852
>>>>>       unix charset = UTF8
>>>>>       dos filetimes = yes
>>>>>       browseable = no
>>>>>       guest ok = no
>>>>>       public = no
>>>>>       writable = yes
>>>>>       unix extensions = no
>>>>>       follow symlinks = yes
>>>>>
>>>>> smb-datastore.conf:
>>>>>
>>>>> [iss_num]
>>>>>       path = /mnt/data_raid/iss_num
>>>>>       comment = Projekt ISS_NUM
>>>>>       locking = yes
>>>>>       default case = lower
>>>>>       preserve case = no
>>>>>
>>>>> Dňa 09.03.2015 o 10:49 Rowland Penny napísal(a):
>>>>>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote:
>>>>>>> Hallo,
>>>>>>>
>>>>>>> we have Samba 3 domain w/LDAP backend. Recently we have set up
>>>>>>> Samba
>>>>>>> 4.1.7 fileserver, a member of the domain, as a first step of full
>>>>>>> migration to Samba 4.
>>>>>>>
>>>>>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux
>>>>>>> ext4
>>>>>>> fs has 777 ACLs for the file. Why does it look like in Windows
>>>>>>> (both XP
>>>>>>> and 2k8r2) that "Everyone" has not write permission?
>>>>>>>
>>>>>>> Sincerely
>>>>>>> Peter
>>>>>>>
>>>>>> Hi, any chance you can post the smb.conf from the samba 4.1.7
>>>>>> fileserver ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>> OK, after I removed the default settings, I ended up with this:
>>>>
>>>> [global]
>>>>     workgroup = ldap1.sk
>>>>     server string = server %L
>>>>     dns proxy = no
>>>>     netbios aliases = datastore dokumenty iss pravo prenos matriky
>>>>     log file = /var/log/samba/log.%m
>>>>     max log size = 1000
>>>>     syslog = 0
>>>>     panic action = /usr/share/samba/panic-action %d
>>>>     log level = 2
>>>>     security = domain
>>>>     map to guest = bad user
>>>>     local master = no
>>>>     dos charset = 852
>>>>     browseable = no
>>>>     writable = yes
>>>>     unix extensions = no
>>>>
>>>> [iss_num]
>>>>      path = /mnt/data_raid/iss_num
>>>>      comment = Projekt ISS_NUM
>>>>      locking = yes
>>>>      preserve case = no
>>>>
>>>> Everything looks ok, provided the machine has been joined to the
>>>> domain. I personally wouldn't use a dot in the workgroup name, but I
>>>> don't think this is your problem. What I think is happening, is that
>>>> you are mixing up Unix and windows acls, what does 'ls -la
>>>> /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the
>>>> acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+'
>>>>
>>>> Rowland
>>>>
>>
>> OK, this means that you are mixing up Unix & windows acls, if there
>> was a '+' sign, this would mean that Unix (and samba) was using
>> windows ACLs. You could try and give 'Everyone' read access from
>> windows and then look again from unix with 'ls -la', if you now have
>> the '+' then good. If not, install the 'acl' & 'attr' packages and
>> try again, once you get the '+' sign, you can then look at the ACLs
>> with 'getfacl /mnt/data_raid/iss_num'
>>
>> Rowland
>
> Hi again, forgot to say that you will probably need to add this to the
> global part of your smb.conf:
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> Rowland

More information about the samba mailing list