[Samba] "missing security tab" and related ACL issues

Rowland Penny rpenny at samba.org
Fri Sep 7 13:25:27 UTC 2018


On Fri, 7 Sep 2018 14:02:01 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:
> > On Fri, 7 Sep 2018 11:22:36 +0200
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> > 
> >>
> >> At a customer server (gentoo linux, so far only Samba version
> >> 4.7.7) we tried to use Windows ACLs and failed:
> >>
> >> no security tab in Windows ... for local C: yes, not on samba
> >> shares
> >>
> >> Yes, I followed
> >>
> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >>
> >> and have the vfs module enabled etc
> >>
> >> -
> >>
> >> Now I consider that the kernel doesn't have the necessary flags
> >> set.
> >>
> >> I get
> >>
> >> # getfattr -n security.NTACL -d  /mnt/MSA2040/smb/IT
> >> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported
> >>
> >> but
> >>
> >> # getfacl /mnt/MSA2040/smb/IT
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: mnt/MSA2040/smb/IT
> >> # owner: ittner
> >> # group: dom�nen-benutzer
> >> user::rwx
> >> group::rwx
> >> other::r-x
> >>
> >> -
> >>
> >>   From the old kernel config I see these flags unset:
> >>
> >> # CONFIG_EXT4_FS_POSIX_ACL is not set
> >> # CONFIG_EXT4_FS_SECURITY is not set
> >>
> >> So I prepared a new kernel with these 2 flags enabled and will
> >> reboot at 2:30pm ... We'll see!
> >>
> >> Any other issues I might miss here?
> >>
> >>
> > 
> > Apart from the fact getattr works on an EA and getfacl works on
> > extended ACL's i.e. different things ? ;-)
> 
> what? One works, the other not ... I interpret that the kernel
> doesn't support the ACL-feature of ext4

From what you have posted it doesn't, but when you do get then working,
you need to understand that EA's and ACL's can work together or
independently.
If 'acl_xattr:ignore system acls = yes' is set, they work
independently, if it isn't, they work together, see 'man
vfs_acl_xattr' for more info. 

> 
> 
> > Stop me if I am wrong, but isn't 'benutzer' German for 'users' ?
> > What is the the German for 'admins' ?
> 
> wbinfo -g
> 
> shows "dom�nen-admins"
> 
> while
> 
> 
> # wbinfo -g | grep -i admin
> specops endpoint protection report admins
> dnsadmins
> schema-admins
> organisations-admins
> Binary file (standard input) matches
> 
> ?? no "domänen-admins" in here

Very strange, I get:
enterprise admins
domain admins
schema admins
dnsadmins

Okay, hands up, who kidnapped 'enterprise admins' & 'domain admins' :-)

> 
> and
> 
> net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege -U 
> "DOM\administrator"
> 
> fails because the group is not found

Well it would fail, wouldn't it, your 'domain admins' group has been
kidnapped.

> 
> I asked that already some times ago
> 
> and I try to work around that by granting that right to a group
> called IT and the few admins in there


We need to find if the group has actually disappeared.

Run this on a DC:

ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' -UAdministrator

Replace 'dc3' with the DC's name.

It should display the Domain Admins object

> 
> At 2:30pm we plan to reboot into the other kernel.
> 
> 

See here: https://wiki.samba.org/index.php/File_System_Support

If it passes the tests there, you should be good to go.

Rowland



More information about the samba mailing list