[Samba] ACL - samba vs filesystem
lejeczek
peljasz at yahoo.co.uk
Thu Jul 19 11:50:04 UTC 2018
On 19/07/18 12:17, Rowland Penny via samba wrote:
> On Thu, 19 Jul 2018 11:46:43 +0100
> lejeczek via samba <samba at lists.samba.org> wrote:
>
>> On 19/07/18 10:58, Rowland Penny via samba wrote:
>>> On Thu, 19 Jul 2018 10:32:04 +0100
>>> lejeczek via samba <samba at lists.samba.org> wrote:
>>>
>>>> hi guys
>>>>
>>>> my samba share has
>>>>
>>>> inherit acls = Yes
>>>>
>>>> and inherits(I guess) from global:
>>>>
>>>> create mask = 0744
>>>> directory mask = 0755
>>>>
>>>> Now, share's underlying filesystem has acls set on a folder:
>>>>
>>>> user::rwx
>>>> user:me:rwx
>>>> user:appmgr:r-x
>>>> group::---
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:me:rwx
>>>> default:user:appmgr:r-x
>>>> default:group::---
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> In shell when I create a file in that folder I see:
>>>>
>>>>
>>>> user::rw-
>>>> user:me:rwx #effective:rw-
>>>> user:appmgr:r-x #effective:r--
>>>> group::---
>>>> mask::rw-
>>>> other::---
>>>>
>>>> but when make new file in Windows client then shell shows:
>>>>
>>>> user::rwx
>>>> user:me:rwx #effective:---
>>>> user:appmgr:r-x #effective:---
>>>> group::---
>>>> mask::---
>>>> other::---
>>>>
>>>> Why is that? Am I missing something in samba's configuration?
>>>>
>>>> I'm thinking - ideally might be if I got rid of mask but I'm not
>>>> sure how.
>>>>
>>>> many thanks, L.
>>>>
>>>>
>>>>
>>> You don't give us much to go on,
>> what is it that I did not give out?
>> Samba is 4.7.1 on Centos 7.5
> You didn't tell us that before ;-)
>
>> Except for:
>> inherit acls = Yes
>> everything is samba vanilla default.
> Yes, but what 'vanilla default' ?
>
> I have absolutely no idea just how you are running Samba, is it a Unix
> domain member, standalone server or what ?
>
>> One thing though is the shares are off glusterfs directly, so:
>>
>> fs objects = glusterfs
>> glusterfs:volume = GROUP-WORK
>> path = /
> Well, that is definitely not a 'vanilla' Samba option.
>
>> and local filesystem is a mount via autofs with acl option.
> again, not a Samba 'vanilla' option and what 'acl' option ?
>
>>> but I think you are mixing up using
>> I fail to see where I'm mixing those up.
>> I do not get how creating files, but also folders, gets me different
>> mask/effective between shell and windows clients, eg of a new folder:
> I guessed that you are running a Unix domain member and you CANNOT use
> POSIX acls and Windows ACLs at the same time, they mess with each other.
>
> This will be POSIX
>> shell's mkdir:
>>
>> user::rwx
>> user:me:rwx
>> user:appmgr:r-x
>> group::---
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:me:rwx
>> default:user:appmgr:r-x
>> default:group::---
>> default:mask::rwx
>> default:other::---
>>
> and this will be Windows ACLs
>
>> windows via samba:
>>
>> user::rwx
>> user:me:rwx #effective:r-x
>> user:appmgr:r-x
>> group::---
>> mask::r-x
>> other::---
>> default:user::rwx
>> default:user:me:rwx
>> default:user:appmgr:r-x
>> default:group::---
>> default:mask::rwx
>> default:other::---
>>
>> and parent folder has:
>>
>> user::rwx
>> user:me:rwx
>> user:appmgr:r-x
>> group::---
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:me:rwx
>> default:user:appmgr:r-x
>> default:group::---
>> default:mask::rwx
>> default:other::---
>>
>> Why samba calculate it differently, I fail to get that.
> Because you are trying to get Samba (and the OS) to do two things at
> once.
>
> Rowland
>
>
>
yes, shell is posix and samba is win acl, yes.
Samba is a PDC(the only controller) in classic mode, security = user (no
AD), with ldap user backend.
Windows boxes are clients of only that samba domain.
When do shell/posix I do it on Samba server locally.
If I, well.. certainly not purposefully so not I, again: pretty vanilla
samba config, so... if samba ignores posix and calculates mask
independently then where does she do it?
inherit acls = Yes - this seems to work, ACLs are there but that
mast/effective is not what posix gets me, and I'd like samba to do what
setfacl mandates.
Also: acl map full control = Yes - is set by default.
More information about the samba
mailing list