[Samba] Is it possible to 'getfacl' on a mounted samba share ?

Nicola Mingotti nmingotti at gmail.com
Mon Jan 25 09:00:40 UTC 2021 

Hi Rowland,

Still it is not working but I can give you some extra info.

. Installed packages
p at linte> dpkg -l | grep 'acl\|attr' | awk '{print $1,$2," ",$3}'
ii acl      2.2.53-4
ii attr      1:2.4.48-4
ii fonts-quicksand      0.2016-2
ii libacl1:amd64      2.2.53-4
ii libattr1:amd64      1:2.4.48-4
ii python3-xattr      0.9.6-1
ii spice-client-glib-usb-acl-helper      0.35-2
ii xattr      0.9.6-1
=> This is a superset of what i see in machine 'nas' so i guess it 
should be fine.

. Do I see the '+' in 'ls' ? No
p at linte> ls -l /mnt/discoR/Borghi/ | head -n 3
total 1024
drwxr-xr-x 2 root root      0 Oct  5 14:49 Applicativi
drwxr-xr-x 2 root root      0 Dec  7 16:05 Archivio

. The same applies if I do it through a domain user:
WINDOM\nicola at linte> ls -l /mnt/discoR/Borghi/ | head -n 3
total 1024
drwxr-xr-x 2 root root      0 Oct  5 14:49 Applicativi
drwxr-xr-x 2 root root      0 Dec  7 16:05 Archivio

. But I see the '+' from the machine 'nas'
p at nas> ls -l /mnt/sambaShared/sambaDisk/DiscoS/Borghi/ | head -n 3
total 252
drwxrwx---+  7 root adm    4096 Oct  5 14:49 Applicativi
drwxrwx---+ 10 root adm    4096 Dec  7 16:05 Archivio

. I can see the '+' in 'linte' if i define my self a permission there
   also, in that case 'getfacl' works as expected.
p at linte> cd .
p at linte> touch test.txt
p at linte> sudo groupadd testgroup
p at linte> setfacl -m g:testgroup:000 test.txt
p at linte> ls -l | grep test.txt
-rw-r--r--+ 1 p p    0 Jan 25 09:44 test.txt
p at linte> getfacl test.txt
# file: test.txt
# owner: p
# group: p
user::rw-
group::r--
group:testgroup:---
mask::r--
other::r--

. I tried to toggle several parameters in /etc/fstab without success:
------- /etc/fstab --------------
# / was on /dev/vda1 during installation
UUID=5b450ed1-2951-4a2c-b444-22dc1509a275 / ext4    
user_xattr,acl,errors=remount-ro 0       1
...
# mount disco R
//nas.borghi.lan/sambaDisk/DiscoS/    /mnt/discoR   cifs 
cifsacl,credentials=/usr/local/etc/discoR.credentials    0    0
---------------------------------

. For completeness i add the Samba configuration of 'linte' which
   is there just to let 'linte' join the Windows domain at the moment.
---------------- /etc/samba/smb.conf -----------------------------------
[global]
    workgroup = WINDOM
    security = ADS
    realm = WINDOM.BORGHI.LAN

    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # ho un solo dominio, quindi mi conviene non dover digitare sempre
    # user invece di "WINDOM\user"
    # winbind use default domain = yes

    # rimuovere dopo il testing
    winbind enum users = yes
    winbind enum groups = yes

    # disable printing
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # logs
    log file = /var/log/samba/%m.log
    log level = 1

    # ---- ID mapping backend rid -------
    # Default ID mapping configuration for local BUILTIN accounts
    # and groups on a domain member. The default (*) domain:
    # - must not overlap with any domain ID mapping configuration!
    # - must use a read-write-enabled back end, such as tdb.
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    # - You must set a DOMAIN backend configuration
    # idmap config for the SAMDOM domain
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999

    # Template settings for login shell and home directory
    template shell = /bin/bash
    template homedir = /home/WINDOM-%U

    # mappare "Administrator" a "root"
    username map = /usr/local/samba/etc/user.map

# directory che funge da disco in condivisione
# ok- this is working !
# [sambaDisk]
#       path = /home/WINDOM-nicola/testSamba
#       read only = no
#       vfs objects = shadow_copy2
#       shadow:snapdir = /home/WINDOM-nicola/snapshots
#       shadow:basedir = /home/WINDOM-nicola/testSamba
#       shadow:sort = desc


# [sambaDisk]
#       path = /home/WINDOM-nicola/testSamba
#       read only = no
#       vfs objects = shadow_copy2
#       shadow:mountpoint = /home/WINDOM-nicola/testSamba
#       # richiesto relative se si usa 'snapdirseverywhere'
#       shadow:snapdir = snapshots
#       # shadow:snapdir = /home/WINDOM-nicola/testSamba/snapshots
#       # shadow:basedir = toSnap
#       shadow:sort = desc
#       # shadow:localtime = yes
#       # shadow:format = '%Y.%m.%d-%H.%M.%S'
#       shadow:snapdirseverywhere = yes

------------------------------------------------------------------------


Do you have any other ideas ?

Thank you for your help in any case !

bye
Nicola




On 1/24/21 7:47 PM, Rowland penny via samba wrote:
> On 24/01/2021 18:26, Nicola Mingotti wrote:
>>
>> Thank you for your feedback Rowland.
>>
>> I tried as you suggest, both parameters are now in  [global] and I 
>> removed them from [sambaDisk].
>> Rebooted all machines a few times but unfortunately still it does not 
>> want to work.
>
>
> If you run:
>
> ls -lad /mnt/sambaShared/sambaDisk/DiscoS/Borghi
>
> and:
>
> ls -lad /mnt/discoR/Borghi
>
> Do you get a '+' sign after the Unix permissions ?
>
> e.g. ls -lad /srv/www/htdocs/testshare
>
> drwxrwx---+ 2 root domain users 4096 Oct 28  2019 
> /srv/www/htdocs/testshare
>
>  I am assuming 'Borghi' is a directory.
>
> Are both the acl and attr packages installed ?
>
> Rowland
>
>
>
>
>

More information about the samba mailing list