[Samba] Windows ACLs on share
Rowland Penny
rpenny at samba.org
Thu Jan 3 15:19:39 UTC 2019
On Thu, 3 Jan 2019 15:46:24 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> Am 03.01.19 um 15:29 schrieb Rowland Penny via samba:
> > On Thu, 3 Jan 2019 15:08:46 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> >
> >>
> >> We are in the process of switching over shares from the old way of
> >> doing this to Windows ACLs:
> >>
> >> disable "valid users" "write list" etc
> >>
> >> and set ACLs via Windows Explorer ...
> >>
> >> And I struggle.
> >
> > Are you following this:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> yes
>
> >> I am asking for a way to "start ACLs from scratch".
> >>
> >> I ran "setfacl -b -R" on the dir on the samba server and did a
> >> "chown -R root:10513" to hand it to "domain users"
> >
> > That isn't using Windows ACLs
>
> Sure. I just wanted to get things going by adjusting ... ok ok
>
> >> in Windows Explorer we try to edit the Permissions in "Computer
> >> Management" and get errors around writing to some "container" (I
> >> get the msg in german, would have to google for english error msg)
> >
> > Please either post the message as is, or the google translation.
>
> it is "Failed to enumerate objects in the container: Access is denied"
>
> >> Could someone pls advise?
> >>
> >> Addon: a second share works fine with ACLs already, so samba itself
> >> should be OK.
> >>
> >
> > If it works on one share, it should work on all, perhaps posting
> > smb.conf may help.
>
> sure, sorry.
>
> This is samba-4.8.6, DM server, gentoo. If important, I don't have
> "samba-tool" binary, due to some gentoo specific issue ...
>
> -
>
> smb.conf, shortened and anonymized.
> pls note the heading:
>
> # cat /etc/samba/smb.conf
> # Samba config file
> # from sgw 2018/jun/15
> # with help from Rowland
>
> [global]
> unix charset = iso8859-15
>
> security = ads
> realm = somecompany.INTRA
> workgroup = somecompany
>
> netbios aliases = u1somecompany
> server string = U1somecompany
>
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
>
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
>
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> invalid users = root bin daemon adm sync shutdown halt mail news \
> uucp
> obey pam restrictions = yes
>
> interfaces = 192.168.100.4/24 127.0.0.1
> bind interfaces only = Yes
>
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config somecompany : range = 10000-20000
> idmap config somecompany : backend = rid
>
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
>
> unix extensions = no
> follow symlinks= yes
> wide links= yes
>
> load printers = no
> printcap name = /dev/null
>
> acl allow execute always = True
>
> # Audit settings
> full_audit:prefix = %u|%I|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir write pwrite rename unlink \
> chmod fchmod chown fchown ftruncate
> full_audit:facility = local5
> full_audit:priority = notice
>
> [homes]
> comment = Home Directories
> #path = /mnt/MSA2040/smb/Homes/somecompany/%U
> #path = /mnt/MSA2040/smb/Homes/somecompany/%S
> valid users = %S
> browseable = yes
> read only = no
> create mode = 0750
> #directory mask = 0700
>
> [projekte]
> path = /mnt/MSA2040/smb/Projekte
> read only = No
>
> [QM]
> path = /mnt/MSA2040/smb/QM
> read only = No
>
>
> --
>
> observation, maybe important:
Oh, it's more than important, guess where the Windows ACLs are
stored ;-)
>
> getfattr -n security.NTACL -d Projekte
> # file: Projekte
> security.NTACL=0sBAAEAAAAAgAEAAIAAQDPcJWX0PElycPlTWY5GQ2vHNASQZp1ahdwnxK9pPQOkQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsANqqf4Rco9QBQqh68tlziCDIPZBNBW5uQk5ZroNcgwq3+eRnXtIf9n0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAAxAAAAAAAAADUAAAAAQIAAAAAABYBAAAAAAAAAAECAAAAAAAWAgAAAOkDAAACANAACAAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAP8BHwABAQAAAAAAAQAAAAAAABgA/wEfAAECAAAAAAAWAQAAAAAAAAAAABgA/wEfAAECAAAAAAAWAgAAAOkDAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAL8BEwABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF0BQAAAAMkAKkAEgABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF3BQAA
>
> # getfattr -n security.NTACL -d QM/
> QM/: security.NTACL: No such attribute
>
>
> (share "projekte" works fine, share "QM" not)
are they both using the same filesystem, ownership etc ?
Rowland
More information about the samba
mailing list