[Samba] Windows ACLs
Rowland Penny
rpenny at samba.org
Mon Oct 3 18:11:52 UTC 2022
On 03/10/2022 18:43, Peter Carlson via samba wrote:
> PreScript: I am willing to purchase support if that is an option
>
>
>> You should also be aware that synology uses its own version of Samba,
>> so something of theirs could be getting in the way, this is just a
>> possibility.
>
> noted - just a point of clarification, the snyology is only serving AD,
> the file server is ubuntu
>
>
>> I suggest you read the wiki page again and follow it to the letter.
>
> ok, I spun up a new server for testing, should have done that
> before...that gives us a clean place to start. So following the wiki
> step by step (error appears in step 7 and a snip of it is here:
> https://snipboard.io/3dlDyi.jpg ):
>
> 1) Preparing the Host - host is joined to the domain
> root at filesvr2:/data# getent passwd SDCP\\peter
> SDCP\peter:*:2001105:2000512::/home/peter at SDCP:/bin/bash
>
> 2) File System Support - all requirements met
> ext4 with the appropriate options
> root at filesvr2:/data# grep EXT4 /boot/config-`uname -r`
> CONFIG_EXT4_FS_POSIX_ACL=y
> CONFIG_EXT4_FS_SECURITY=y
> acl, attr and xattr installed
> root at filesvr2:/data# apt search attr | grep -i installed
> attr/jammy,now 1:2.5.1-1build1 amd64 [installed,automatic]
>
> root at filesvr2:/data# apt search acl | grep -i installed
> acl/jammy,now 2.3.1-1 amd64 [installed]
>
> root at filesvr2:/data# apt search xattr | grep -i install
> xattr/jammy,now 0.9.7-1build4 amd64 [installed]
>
> 3) Samba has extended ACL support
> root at filesvr2:/data# smbd -b | grep HAVE_LIBACL
> HAVE_LIBACL
>
> 4) Enabled Extended ACL
> see smb.conf below
>
> 5) Granting the SeDiskOperatorPrivilege Privilege
> root at filesvr2:/data# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "SDCP\administrator"
> Password for [SDCP\administrator]:
> SeDiskOperatorPrivilege:
> SDCP\Linux Admins
> BUILTIN\Administrators
>
> 6) Added the share and set ownership as shown
> root at filesvr2:/data# mkdir test
> root at filesvr2:/data# chown root:"SDCP\Linux Admins" test
> root at filesvr2:/data# chmod 0770 test
> root at filesvr2:/data# ls -l
> total 4
> drwxrwx--- 2 root SDCP\linux admins 4096 Oct 3 17:04 test
>
> 7) switch to windows and connect via computer management
> shares/Test has Share Permissions of Everyone = Full Control,
> Change, Read
> _*Security Tab, Linux Admins has no permissions set at all. I try to
> select them and get Access Denied*_
> getfacl shows rwx for user and group: root at filesvr2:/data# getfacl
> test
> # file: test
> # owner: root
> # group: SDCP\\linux\040admins
> user::rwx
> group::rwx
> other::---
>
> root at filesvr2:/data# xattr -p security.NTACL test
> No such xattr: security.NTACL
> root at filesvr2:/data# xattr test
>
> smb.conf:
> root at filesvr2:/data# cat /etc/samba/smb.conf
> [global]
> workgroup = SDCP
> kerberos method = secrets and keytab
> realm = SA*****NT.LOCAL
> template shell = /bin/bash
>
> security = ads
> idmap config SDCP : range = 2000000-2999999
> idmap config SDCP : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> winbind refresh tickets = yes
> winbind offline logon = yes
> vfs objects = acl_xattr
> map acl inherit = yes
>
> [Test]
> path = /data/test
> comment = test
> read only = no
> acl_xattr:ignore system acls = yes
>
Remember what I said about 'acl_xattr:ignore system acls = yes', well I
think this could be the problem, a bit of a chicken and egg problem.
Until you set the permissions from Windows, it is likely that there are
no Windows permissions and because you have set the above line, you
cannot get permission to set them. So try removing the 'acl_xattr:ignore
system acls = yes' line and try again.
Rowland
More information about the samba
mailing list