[Samba] Windows ACLs
Peter Carlson
peter at howudodat.com
Mon Oct 3 17:43:23 UTC 2022
PreScript: I am willing to purchase support if that is an option
> You should also be aware that synology uses its own version of Samba,
> so something of theirs could be getting in the way, this is just a
> possibility.
noted - just a point of clarification, the snyology is only serving AD,
the file server is ubuntu
> I suggest you read the wiki page again and follow it to the letter.
ok, I spun up a new server for testing, should have done that
before...that gives us a clean place to start. So following the wiki
step by step (error appears in step 7 and a snip of it is here:
https://snipboard.io/3dlDyi.jpg ):
1) Preparing the Host - host is joined to the domain
root at filesvr2:/data# getent passwd SDCP\\peter
SDCP\peter:*:2001105:2000512::/home/peter at SDCP:/bin/bash
2) File System Support - all requirements met
ext4 with the appropriate options
root at filesvr2:/data# grep EXT4 /boot/config-`uname -r`
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
acl, attr and xattr installed
root at filesvr2:/data# apt search attr | grep -i installed
attr/jammy,now 1:2.5.1-1build1 amd64 [installed,automatic]
root at filesvr2:/data# apt search acl | grep -i installed
acl/jammy,now 2.3.1-1 amd64 [installed]
root at filesvr2:/data# apt search xattr | grep -i install
xattr/jammy,now 0.9.7-1build4 amd64 [installed]
3) Samba has extended ACL support
root at filesvr2:/data# smbd -b | grep HAVE_LIBACL
HAVE_LIBACL
4) Enabled Extended ACL
see smb.conf below
5) Granting the SeDiskOperatorPrivilege Privilege
root at filesvr2:/data# net rpc rights list privileges
SeDiskOperatorPrivilege -U "SDCP\administrator"
Password for [SDCP\administrator]:
SeDiskOperatorPrivilege:
SDCP\Linux Admins
BUILTIN\Administrators
6) Added the share and set ownership as shown
root at filesvr2:/data# mkdir test
root at filesvr2:/data# chown root:"SDCP\Linux Admins" test
root at filesvr2:/data# chmod 0770 test
root at filesvr2:/data# ls -l
total 4
drwxrwx--- 2 root SDCP\linux admins 4096 Oct 3 17:04 test
7) switch to windows and connect via computer management
shares/Test has Share Permissions of Everyone = Full Control,
Change, Read
_*Security Tab, Linux Admins has no permissions set at all. I try to
select them and get Access Denied*_
getfacl shows rwx for user and group: root at filesvr2:/data# getfacl test
# file: test
# owner: root
# group: SDCP\\linux\040admins
user::rwx
group::rwx
other::---
root at filesvr2:/data# xattr -p security.NTACL test
No such xattr: security.NTACL
root at filesvr2:/data# xattr test
smb.conf:
root at filesvr2:/data# cat /etc/samba/smb.conf
[global]
workgroup = SDCP
kerberos method = secrets and keytab
realm = SA*****NT.LOCAL
template shell = /bin/bash
security = ads
idmap config SDCP : range = 2000000-2999999
idmap config SDCP : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind refresh tickets = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = yes
[Test]
path = /data/test
comment = test
read only = no
acl_xattr:ignore system acls = yes
More information about the samba
mailing list