[Samba] "missing security tab" and related ACL issues
Stefan G. Weichinger
lists at xunil.at
Fri Sep 7 12:02:01 UTC 2018
Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:
> On Fri, 7 Sep 2018 11:22:36 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
>>
>> At a customer server (gentoo linux, so far only Samba version 4.7.7)
>> we tried to use Windows ACLs and failed:
>>
>> no security tab in Windows ... for local C: yes, not on samba shares
>>
>> Yes, I followed
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> and have the vfs module enabled etc
>>
>> -
>>
>> Now I consider that the kernel doesn't have the necessary flags set.
>>
>> I get
>>
>> # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT
>> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported
>>
>> but
>>
>> # getfacl /mnt/MSA2040/smb/IT
>> getfacl: Removing leading '/' from absolute path names
>> # file: mnt/MSA2040/smb/IT
>> # owner: ittner
>> # group: dom�nen-benutzer
>> user::rwx
>> group::rwx
>> other::r-x
>>
>> -
>>
>> From the old kernel config I see these flags unset:
>>
>> # CONFIG_EXT4_FS_POSIX_ACL is not set
>> # CONFIG_EXT4_FS_SECURITY is not set
>>
>> So I prepared a new kernel with these 2 flags enabled and will reboot
>> at 2:30pm ... We'll see!
>>
>> Any other issues I might miss here?
>>
>>
>
> Apart from the fact getattr works on an EA and getfacl works on
> extended ACL's i.e. different things ? ;-)
what? One works, the other not ... I interpret that the kernel doesn't
support the ACL-feature of ext4
> Stop me if I am wrong, but isn't 'benutzer' German for 'users' ?
> What is the the German for 'admins' ?
wbinfo -g
shows "dom�nen-admins"
while
# wbinfo -g | grep -i admin
specops endpoint protection report admins
dnsadmins
schema-admins
organisations-admins
Binary file (standard input) matches
?? no "domänen-admins" in here
and
net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege -U
"DOM\administrator"
fails because the group is not found
I asked that already some times ago
and I try to work around that by granting that right to a group called
IT and the few admins in there
At 2:30pm we plan to reboot into the other kernel.
More information about the samba
mailing list