[Samba] Windows ACLs on share

Stefan G. Weichinger lists at xunil.at
Thu Jan 3 14:46:24 UTC 2019


Am 03.01.19 um 15:29 schrieb Rowland Penny via samba:
> On Thu, 3 Jan 2019 15:08:46 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
>>
>> We are in the process of switching over shares from the old way of
>> doing this to Windows ACLs:
>>
>> disable "valid users" "write list" etc
>>
>> and set ACLs via Windows Explorer ...
>>
>> And I struggle.
> 
> Are you following this:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

yes

>> I am asking for a way to "start ACLs from scratch".
>>
>> I ran "setfacl -b -R" on the dir on the samba server and did a "chown
>> -R root:10513" to hand it to "domain users"
> 
> That isn't using Windows ACLs

Sure. I just wanted to get things going by adjusting ... ok ok

>> in Windows Explorer we try to edit the Permissions in "Computer
>> Management" and get errors around writing to some "container" (I get
>> the msg in german, would have to google for english error msg)
> 
> Please either post the message as is, or the google translation.

it is "Failed to enumerate objects in the container: Access is denied"

>> Could someone pls advise?
>>
>> Addon: a second share works fine with ACLs already, so samba itself
>> should be OK.
>>
> 
> If it works on one share, it should work on all, perhaps posting
> smb.conf may help.

sure, sorry.

This is samba-4.8.6, DM server, gentoo. If important, I don't have
"samba-tool" binary, due to some gentoo specific issue ...

-

smb.conf, shortened and anonymized.
pls note the heading:

# cat /etc/samba/smb.conf
# Samba config file
# from sgw 2018/jun/15
# with help from Rowland

[global]
unix charset = iso8859-15

security = ads
realm = somecompany.INTRA
workgroup = somecompany

netbios aliases = u1somecompany
server string = U1somecompany

winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes

template homedir = /mnt/MSA2040/smb/Homes/%D/%U

restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
		uucp
obey pam restrictions = yes

interfaces = 192.168.100.4/24 127.0.0.1
bind interfaces only = Yes

idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config somecompany : range = 10000-20000
idmap config somecompany : backend = rid

# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes

unix extensions = no
follow symlinks= yes
wide links= yes

load printers = no
printcap name = /dev/null

acl allow execute always = True

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir write pwrite rename unlink \
		     chmod fchmod chown fchown ftruncate
full_audit:facility = local5
full_audit:priority = notice

[homes]
	comment = Home Directories
	#path = /mnt/MSA2040/smb/Homes/somecompany/%U
	#path = /mnt/MSA2040/smb/Homes/somecompany/%S
	valid users = %S
	browseable = yes
	read only = no
	create mode = 0750
	#directory mask = 0700

[projekte]
	path = /mnt/MSA2040/smb/Projekte
	read only = No

[QM]
	path = /mnt/MSA2040/smb/QM
	read only = No


--

observation, maybe important:

getfattr -n security.NTACL -d Projekte
# file: Projekte
security.NTACL=0sBAAEAAAAAgAEAAIAAQDPcJWX0PElycPlTWY5GQ2vHNASQZp1ahdwnxK9pPQOkQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsANqqf4Rco9QBQqh68tlziCDIPZBNBW5uQk5ZroNcgwq3+eRnXtIf9n0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAAxAAAAAAAAADUAAAAAQIAAAAAABYBAAAAAAAAAAECAAAAAAAWAgAAAOkDAAACANAACAAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAP8BHwABAQAAAAAAAQAAAAAAABgA/wEfAAECAAAAAAAWAQAAAAAAAAAAABgA/wEfAAECAAAAAAAWAgAAAOkDAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAL8BEwABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF0BQAAAAMkAKkAEgABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF3BQAA

# getfattr -n security.NTACL -d QM/
QM/: security.NTACL: No such attribute


(share "projekte" works fine, share "QM" not)






More information about the samba mailing list