[Samba] Windows ACLs on share
Stefan G. Weichinger
lists at xunil.at
Thu Jan 3 14:46:24 UTC 2019
Am 03.01.19 um 15:29 schrieb Rowland Penny via samba:
> On Thu, 3 Jan 2019 15:08:46 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
>>
>> We are in the process of switching over shares from the old way of
>> doing this to Windows ACLs:
>>
>> disable "valid users" "write list" etc
>>
>> and set ACLs via Windows Explorer ...
>>
>> And I struggle.
>
> Are you following this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
yes
>> I am asking for a way to "start ACLs from scratch".
>>
>> I ran "setfacl -b -R" on the dir on the samba server and did a "chown
>> -R root:10513" to hand it to "domain users"
>
> That isn't using Windows ACLs
Sure. I just wanted to get things going by adjusting ... ok ok
>> in Windows Explorer we try to edit the Permissions in "Computer
>> Management" and get errors around writing to some "container" (I get
>> the msg in german, would have to google for english error msg)
>
> Please either post the message as is, or the google translation.
it is "Failed to enumerate objects in the container: Access is denied"
>> Could someone pls advise?
>>
>> Addon: a second share works fine with ACLs already, so samba itself
>> should be OK.
>>
>
> If it works on one share, it should work on all, perhaps posting
> smb.conf may help.
sure, sorry.
This is samba-4.8.6, DM server, gentoo. If important, I don't have
"samba-tool" binary, due to some gentoo specific issue ...
-
smb.conf, shortened and anonymized.
pls note the heading:
# cat /etc/samba/smb.conf
# Samba config file
# from sgw 2018/jun/15
# with help from Rowland
[global]
unix charset = iso8859-15
security = ads
realm = somecompany.INTRA
workgroup = somecompany
netbios aliases = u1somecompany
server string = U1somecompany
winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes
template homedir = /mnt/MSA2040/smb/Homes/%D/%U
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
uucp
obey pam restrictions = yes
interfaces = 192.168.100.4/24 127.0.0.1
bind interfaces only = Yes
idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config somecompany : range = 10000-20000
idmap config somecompany : backend = rid
# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes
unix extensions = no
follow symlinks= yes
wide links= yes
load printers = no
printcap name = /dev/null
acl allow execute always = True
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir write pwrite rename unlink \
chmod fchmod chown fchown ftruncate
full_audit:facility = local5
full_audit:priority = notice
[homes]
comment = Home Directories
#path = /mnt/MSA2040/smb/Homes/somecompany/%U
#path = /mnt/MSA2040/smb/Homes/somecompany/%S
valid users = %S
browseable = yes
read only = no
create mode = 0750
#directory mask = 0700
[projekte]
path = /mnt/MSA2040/smb/Projekte
read only = No
[QM]
path = /mnt/MSA2040/smb/QM
read only = No
--
observation, maybe important:
getfattr -n security.NTACL -d Projekte
# file: Projekte
security.NTACL=0sBAAEAAAAAgAEAAIAAQDPcJWX0PElycPlTWY5GQ2vHNASQZp1ahdwnxK9pPQOkQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsANqqf4Rco9QBQqh68tlziCDIPZBNBW5uQk5ZroNcgwq3+eRnXtIf9n0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAAxAAAAAAAAADUAAAAAQIAAAAAABYBAAAAAAAAAAECAAAAAAAWAgAAAOkDAAACANAACAAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAP8BHwABAQAAAAAAAQAAAAAAABgA/wEfAAECAAAAAAAWAQAAAAAAAAAAABgA/wEfAAECAAAAAAAWAgAAAOkDAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAL8BEwABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF0BQAAAAMkAKkAEgABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF3BQAA
# getfattr -n security.NTACL -d QM/
QM/: security.NTACL: No such attribute
(share "projekte" works fine, share "QM" not)
More information about the samba
mailing list