[Samba] simple permission scheme messed up with unwanted ACLs - how to fix?

Patrick Goetz pgoetz at math.utexas.edu
Fri Feb 11 22:21:53 UTC 2022

On 2/11/22 07:29, Valentijn Sessink via samba wrote:
> Hi Patrick,
> Thanks for your answer.
> On 10-02-2022 23:35, Patrick Goetz via samba wrote:
>> This is an aside, but unless you're running a domain controller it's 
>> not clear why you're using Samba at all if you don't have any Windows 
>> machines. It's easier to use NFS for a linux/Mac environment.
> Actually, that's how it used to be: the linux machines had their /home 
> mounted on the server with NFS4, with Kerberos authentication and all. 
> But NFS has its own problems - my guess is that it was too complicated 
> to get the Macs to connect to NFS, or that the user level security was a 
> problem, or the need to keep local userIDs in sync - I'm not sure, it's 
> a long time ago. I don't think we even tried to setup NFS4/Kerberos 
> authentication on any Mac.

As far as I know, Mac does not support NFSv4, which is likely why you 
stopped using NFS; you would need to stick to NFSv3, which is probably 
not what you want. Apple has been uninterested in making their platform 
work properly in an enterprise setting for quite some time.

An interesting off topic point is recently Apple inexplicably made it 
easier for the team trying to port linux to the M1 platform; i.e. made 
some changes which would only benefit the linux porters.  The 
speculation is they're thinking about making another run at client 
server computing (or at least populating their own data centers with M1 
rackmount equipment) and will likely want to run linux on these 
machines, so are quietly making it easier for this to happen without 
expending any engineering dollars themselves.  It is, after all, a poor 
company with limited resources. <:)

  And as most OSs have password managers
> built-in now, the great advantage of Kerberos for single sign-on (which 
> to end users just means "not having to remember any extra passwords") 
> has greatly diminished, IMHO.

One could argue the need for directory services is greatly diminished by 
the existence of Ansible, too.

>>      ea support = no
>> applies to attributes (not ACLs) and consequently won't help you, 
> Thanks. (It probably shows how confused I was ;-)
>> Are you using extended ACLs on your file server?
> They are there, but I'm not using any.
> [...]
> Thanks for your explanation - helped to see things in perspective and I 
> guess I'm fine with the current settings for now.
> Regarding my problem:
>> If that's insufficient, provide us with an example of what you're 
>> talking about in addition to the [global] section of your smb.conf file.
> ... A few hours after my post, I found yet another ACL option, namely 
> "fruit:nfs_aces". I set this to "no" and since then, no more ACLs have 
> been added to any files. So my guess is that vfs_fruit was the culprit: 
> "A global option whether support for querying and modifying the UNIX 
> mode of directory entries via NFS ACEs is enabled, default yes."
> I still don't know why these apple computers were changing ACLs anyway. 
> But I guess that's a question for an Apple forum, not this list ;-)
> Best regards,
> Valentijn

More information about the samba mailing list