[Samba] Samba43 ACL's issues

Data Control Systems - Mike Elkevizth mike at datacontrolsystems.com
Thu Jun 23 02:28:27 UTC 2016 

DCs seem to do odd things, that member servers don't, when it comes to file
serving.  That's why the Samba team recommends to not do file serving on a
DC.

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction

I've found that on a DC, the create mask, force create mode, directory
mask, and force directory mode will be ignored unless nt acl support option
is set to no.

nt acl support = no

I'm not sure what other consequences this may have with your setup, so
you'll just have to experiment.

Mike E.


On Wed, Jun 22, 2016, 9:32 PM Juan Garcia <juan at ish.com.au> wrote:

> On 21/06/2016 10:22 PM, Mueller wrote:
> > What about this in your global section
> > create mask = 770
> >          force create mode = 770
> >          directory mask = 770
> >          force directory mode = 770
> >
> > Greetings
> > Daniel
> >
>
> Hi Daniel, Thanks for your response. Those settings are already in my
> smb4.conf
>
>   Global parameters
> [global]
>          interfaces = 192.168.1.100
>          bind interfaces only = yes
>         workgroup = CW1
>         realm = DOMAIN.NAME.COM.AU
>         netbios name = SERVER1
>          server role = active directory domain controller
>          dns forwarder = 192.168.1.1
>          printing = bsd
>          server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> eventlog6, backupkey, dnsserver
>          restrict anonymous = 1
>          vfs objects = acl_xattr
>          map acl inherit = Yes
>          store dos attributes = no
>          unix extensions = no
>          inherit acls = yes
>          inherit permissions = yes
>          ea support = no
>          idmap_ldb:use rfc2307 = yes
>          browseable= yes
>          writable = yes
>          read only= no
>          create mask = 770
>          force create mode = 770
>          directory mask = 770
>          force directory mode = 770
>
> The problem is not about accessing folders, we want to be able to assign
> to an specific folder different permissions inside the same file share
>
> Let's say I have this set up:
>
> Share:
> Public/
>
> Subfloder:
> Public/folder1
>
> Required Permissions:
> DM\user.one -> full access
> DM\user.two -> readonly
>
> So in windows with an administrator account I right click on the folder
> to assign this permissions on the Security tab, right after I hit
> "apply" I get:
> An error occurred while applying security information to:
> Public/folder1
> The parameter is incorrect
>
>
> Any ideas?
>
> >
> > EDV Daniel Müller
> >
> > Leitung EDV
> > Tropenklinik Paul-Lechler-Krankenhaus
> > Paul-Lechler-Str. 24
> > 72076 Tübingen
> > Tel.: 07071/206-463, Fax: 07071/206-499
> >  Email: mueller at tropenklinik.de
> >  www.tropenklinik.de
> >  www.bauen-sie-mit.tropenklinik.de
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Juan Garcia [mailto:juan at ish.com.au]
> > Gesendet: Dienstag, 21. Juni 2016 13:47
> > An: samba at lists.samba.org
> > Betreff: [Samba] Samba43 ACL's issues
> >
> > Hi there,
> >
> > I'm having trouble with permissions and ACL's running samba43.
> >
> > I want to be able to set permissions on a folder to an specific user.
> >
> > I'm having a similar issue reported here
> https://lists.samba.org/archive/samba/2010-July/156965.html
> >
> > However my error message is slightly different:
> >
> > When I set the permission on an specific user by creating a new folder
> inside the share, right click -> properties -> security tab I get:
> >
> > An error ocurred while applying security information to:
> >
> > \\servername\test
> >
> > The parameter is incorrect
> >
> >
> > I have tried changing the permissions manually with "chmod a+rwx /test/"
> >
> > But this does not look like a permissions problem this looks more like
> samba or some setting in smb4.con itself
> >
> >
> > this is my smb4.conf file:
> >
> >   Global parameters
> > [global]
> >          interfaces = 192.168.1.100
> >          bind interfaces only = yes
> >          workgroup = CW1
> >          realm = DOMAIN.NAME.COM.AU
> >          netbios name = SERVER1
> >          server role = active directory domain controller
> >          dns forwarder = 192.168.1.1
> >          printing = bsd
> >          server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> > winbind, ntp_signd, kcc, dnsupdate, dns
> >          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> > eventlog6, backupkey, dnsserver
> >          restrict anonymous = 1
> >          map acl inherit = no
> >          store dos attributes = yes
> >          unix extensions = no
> >          ea support = no
> >          idmap_ldb:use rfc2307 = yes
> >          browseable= yes
> >          writable = yes
> >          read only= no
> >          create mask = 770
> >          force create mode = 770
> >          directory mask = 770
> >          force directory mode = 770
> >          kerberos method = system keytab
> >          client ldap sasl wrapping = sign
> >          allow dns updates = nonsecure and secure
> >
> > [test]
> >          path = /var/fileshare/test
> >          valid users = @DOMAIN.NAME.COM.AU\staff
> >          guest ok = yes
> >          read only = no
> >
> > Not sure what am I missing, I appreciate your help.
> >
> > Regards,
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list