[Samba] ACL SHARE

Carlos A. P. Cunha carlos.hollow at gmail.com
Thu Jun 29 13:00:08 UTC 2017 

Hello!
 From what I realized the problem is not in Samba, but in the way that 
ACL work, with mascara question.
I did several tests:

touch  bla
chmod 700
ls -l bla
-rwx------ 1 USERX domain users 0 Jun 29 09:53 bla

cp bla /home/QUALIDADELEIT

getfacl  /home/QUALIDADELEIT

getfacl /home/QUALIDADELEITE/
getfacl: Removing leading '/' from absolute path names
# file: home/QUALIDADELEITE/
# owner: administrator
# group: qualidadeleite
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:qualidadeleite:rwx
default:mask::rwx
default:other::---

getfacl bla

# file: bla
# owner: root
# group: root
user::rw-
group::rwx *#effective:r--*
group:qualidadeleite:rwx *#effective:r--*
mask::r--
other::---


Even configuring mask, the "effective" permission and recalculated by my 
file is 700 ...

Any ideas on that?


Regards


Em 27-06-2017 17:29, Rowland Penny via samba escreveu:
> On Tue, 27 Jun 2017 21:55:15 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
>> But thats easy scriptable. ;-)
>> I have my scripts always ready for that.
>> This is why i run samba in AD mode and not RID.
>>
>> If you compair the AD backend disavantage
>> Disadvantages:
>> If the Windows Active Directory Users and Computers (ADUC) program is
>> not used, you have to manual track ID values to avoid duplicates. The
>> values for the RFC2307 attributes must be set manually.
> You don't have to manually track the IDs, if you are using your own
> scripts, you can script around this by adding the two missing
> attributes and then updating these after adding a new user or group
>
>> To RID
>> Disadvantages:
>>>> File ownership of domain users and groups are lost, when the local
>>>> ID mapping database corrupts. << is ow so nasty.
> Corrupt databases are possible whatever you use, but when you get one,
> yes it is nasty.
>   
>> All users on the domain member get the same login shell and home
>> directory base path assigned. User and group IDs are only the same on
>> other domain members using the rid back end, if the same ID ranges
>> are configured for the domain. All accounts and groups are
>> automatically available on the domain member and individual entries
>> cannot be excluded. Not recommended for multi-domain environments
>> because objects in different domains having the same relative
>> identifier (RID) get the same ID assigned.
> Agree with all those points, though I should comment on the last one.
> Work has been made to make it so that the DOMAIN ranges can overlap,
> though this will mean that you will probably not be able to use
> 'winbind use default domain = yes', not sure if this will make 4.7
>     
>> And managing the uid/gids from win7 RSAT tools is fine for me.
>>
>> But thats my opinion.
>>
>> RID.. Fine for home or a office server without shares or shared home
>> folders or guest shares. But you main document server, always for AD
>> for me. It happend to me one.. 9 years ago. Arg .. At that point i
>> also didnt have nice scripts.. A night work.. :-/
>>
>>
> I would tend to agree, if you only have one or two fileservers, you
> can use the 'rid' backend, any more than that, use the 'ad' backend. If
> you use a DC as a fileserver (not really recommended, but sometimes you
> have to) use the 'ad' backend.
>
> Rowland
>   
>

More information about the samba mailing list