[Samba] Windows ACLs on share

Rowland Penny rpenny at samba.org
Thu Jan 3 15:19:39 UTC 2019 

On Thu, 3 Jan 2019 15:46:24 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 03.01.19 um 15:29 schrieb Rowland Penny via samba:
> > On Thu, 3 Jan 2019 15:08:46 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> > 
> >>
> >> We are in the process of switching over shares from the old way of
> >> doing this to Windows ACLs:
> >>
> >> disable "valid users" "write list" etc
> >>
> >> and set ACLs via Windows Explorer ...
> >>
> >> And I struggle.
> > 
> > Are you following this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> yes
> 
> >> I am asking for a way to "start ACLs from scratch".
> >>
> >> I ran "setfacl -b -R" on the dir on the samba server and did a
> >> "chown -R root:10513" to hand it to "domain users"
> > 
> > That isn't using Windows ACLs
> 
> Sure. I just wanted to get things going by adjusting ... ok ok
> 
> >> in Windows Explorer we try to edit the Permissions in "Computer
> >> Management" and get errors around writing to some "container" (I
> >> get the msg in german, would have to google for english error msg)
> > 
> > Please either post the message as is, or the google translation.
> 
> it is "Failed to enumerate objects in the container: Access is denied"
> 
> >> Could someone pls advise?
> >>
> >> Addon: a second share works fine with ACLs already, so samba itself
> >> should be OK.
> >>
> > 
> > If it works on one share, it should work on all, perhaps posting
> > smb.conf may help.
> 
> sure, sorry.
> 
> This is samba-4.8.6, DM server, gentoo. If important, I don't have
> "samba-tool" binary, due to some gentoo specific issue ...
> 
> -
> 
> smb.conf, shortened and anonymized.
> pls note the heading:
> 
> # cat /etc/samba/smb.conf
> # Samba config file
> # from sgw 2018/jun/15
> # with help from Rowland
> 
> [global]
> unix charset = iso8859-15
> 
> security = ads
> realm = somecompany.INTRA
> workgroup = somecompany
> 
> netbios aliases = u1somecompany
> server string = U1somecompany
> 
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
> 
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
> 
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> invalid users = root bin daemon adm sync shutdown halt mail news \
> 		uucp
> obey pam restrictions = yes
> 
> interfaces = 192.168.100.4/24 127.0.0.1
> bind interfaces only = Yes
> 
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config somecompany : range = 10000-20000
> idmap config somecompany : backend = rid
> 
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
> 
> unix extensions = no
> follow symlinks= yes
> wide links= yes
> 
> load printers = no
> printcap name = /dev/null
> 
> acl allow execute always = True
> 
> # Audit settings
> full_audit:prefix = %u|%I|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir write pwrite rename unlink \
> 		     chmod fchmod chown fchown ftruncate
> full_audit:facility = local5
> full_audit:priority = notice
> 
> [homes]
> 	comment = Home Directories
> 	#path = /mnt/MSA2040/smb/Homes/somecompany/%U
> 	#path = /mnt/MSA2040/smb/Homes/somecompany/%S
> 	valid users = %S
> 	browseable = yes
> 	read only = no
> 	create mode = 0750
> 	#directory mask = 0700
> 
> [projekte]
> 	path = /mnt/MSA2040/smb/Projekte
> 	read only = No
> 
> [QM]
> 	path = /mnt/MSA2040/smb/QM
> 	read only = No
> 
> 
> --
> 
> observation, maybe important:

Oh, it's more than important, guess where the Windows ACLs are
stored ;-)

> 
> getfattr -n security.NTACL -d Projekte
> # file: Projekte
> security.NTACL=0sBAAEAAAAAgAEAAIAAQDPcJWX0PElycPlTWY5GQ2vHNASQZp1ahdwnxK9pPQOkQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsANqqf4Rco9QBQqh68tlziCDIPZBNBW5uQk5ZroNcgwq3+eRnXtIf9n0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAAxAAAAAAAAADUAAAAAQIAAAAAABYBAAAAAAAAAAECAAAAAAAWAgAAAOkDAAACANAACAAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAP8BHwABAQAAAAAAAQAAAAAAABgA/wEfAAECAAAAAAAWAQAAAAAAAAAAABgA/wEfAAECAAAAAAAWAgAAAOkDAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAL8BEwABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF0BQAAAAMkAKkAEgABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF3BQAA
> 
> # getfattr -n security.NTACL -d QM/
> QM/: security.NTACL: No such attribute
> 
> 
> (share "projekte" works fine, share "QM" not)

are they both using the same filesystem, ownership etc ?

Rowland

More information about the samba mailing list