[Samba] "missing security tab" and related ACL issues

Stefan G. Weichinger lists at xunil.at
Fri Sep 7 12:02:01 UTC 2018


Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:
> On Fri, 7 Sep 2018 11:22:36 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
>>
>> At a customer server (gentoo linux, so far only Samba version 4.7.7)
>> we tried to use Windows ACLs and failed:
>>
>> no security tab in Windows ... for local C: yes, not on samba shares
>>
>> Yes, I followed
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> and have the vfs module enabled etc
>>
>> -
>>
>> Now I consider that the kernel doesn't have the necessary flags set.
>>
>> I get
>>
>> # getfattr -n security.NTACL -d  /mnt/MSA2040/smb/IT
>> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported
>>
>> but
>>
>> # getfacl /mnt/MSA2040/smb/IT
>> getfacl: Removing leading '/' from absolute path names
>> # file: mnt/MSA2040/smb/IT
>> # owner: ittner
>> # group: dom�nen-benutzer
>> user::rwx
>> group::rwx
>> other::r-x
>>
>> -
>>
>>   From the old kernel config I see these flags unset:
>>
>> # CONFIG_EXT4_FS_POSIX_ACL is not set
>> # CONFIG_EXT4_FS_SECURITY is not set
>>
>> So I prepared a new kernel with these 2 flags enabled and will reboot
>> at 2:30pm ... We'll see!
>>
>> Any other issues I might miss here?
>>
>>
> 
> Apart from the fact getattr works on an EA and getfacl works on
> extended ACL's i.e. different things ? ;-)

what? One works, the other not ... I interpret that the kernel doesn't 
support the ACL-feature of ext4


> Stop me if I am wrong, but isn't 'benutzer' German for 'users' ?
> What is the the German for 'admins' ?

wbinfo -g

shows "dom�nen-admins"

while


# wbinfo -g | grep -i admin
specops endpoint protection report admins
dnsadmins
schema-admins
organisations-admins
Binary file (standard input) matches

?? no "domänen-admins" in here

and

net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege -U 
"DOM\administrator"

fails because the group is not found

I asked that already some times ago

and I try to work around that by granting that right to a group called 
IT and the few admins in there

At 2:30pm we plan to reboot into the other kernel.




More information about the samba mailing list