[Samba] book of samba 4.1 or 4.2

Alex Crow acrow at integrafin.co.uk
Fri Nov 18 20:06:15 UTC 2016

On 17/11/16 20:19, Rowland Penny via samba wrote:
> On Thu, 17 Nov 2016 20:07:26 +0000
> Alex Crow via samba <samba at lists.samba.org> wrote:
>> On 17/11/16 19:48, Rowland Penny via samba wrote:
>>> If you are running Samba as an AD DC or domain member, then you
>>> shouldn't be using 'valid' & 'invalid' any more. As for creating
>>> users etc, samba-tool comes with help, try running 'samba-tool
>>> --help'
>>> If you have more questions, please feel free to ask ;-)
>>> Rowland
>> What? Really? "valid users" and "invalid users" doesn't work on a
>> Samba 4 AD member?
> Just where did I say 'doesn't' ???
> I said 'shouldn't', you should use ACL's instead, either by setting the
> permissions from windows or with setfacl

Well, "shouldn't" often implies "deprecated" and "will break soon"!
We've suffered breakages with idMap on our old Samba 3 NT Domain with
member file servers. It was quite unexpected and we had to contract a
commercial support company to help us resolve it. And think this even
happened within a minor version update. So I hope you can understand
that I'm naturally cautious about future changes.

>> We reply on this for shares that have other shares below them (Posix
>> ACLs only). Where is it documented that this is now not functional?
> It is still functional, but is the old way of doing things, if you are
> using them, carry on, but there are better ways of doing it now.

As long as it's clearly announced in release notes (in new/removed
features part) when a) it's deprecated and b) it has been disabled,
that's fine with me.

>> I'm hoping it just means it's deprecated and some other mechanism has
>> supplanted it, in which case I'd like to know how to restrict at the
>> share level properly!
> Try reading this:
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> Rowland

I've read that, but we have a number of scripts that currently work with
the "old way". I assume that the "new way" will not actually stop
permissions set with POSIX ACLs from working properly? It seems so from
my testing with our staging AD domain where we have the "new way"
enabled but no changes have been made to FS ACLs/xattrs so far...




This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

More information about the samba mailing list