[Samba] Samba share not quite working on Domain Controller

Mark Foley mfoley at novatec-inc.com
Wed Dec 20 20:48:43 UTC 2023


On Dec 18 03:22:32 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Sun, 17 Dec 2023 20:16:23 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > on Sun Dec 17 12:15:28 2023 Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > >
> > > On Sun, 17 Dec 2023 11:50:18 -0500
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > > 
> > > > [deleted]
> > > > 
> > > > One thing I'm wondering about, that wiki has instructions to
> > > > "Enable Extended ACL Support on a Unix domain member" as follows:
> > > > 
> > > >   "Ideally you have a system that supports NFS4 ACLs. The
> > > > following example is for systems like Linux, where you don't have
> > > > those kind of ACLs. To configure shares using extended access
> > > > control lists (ACL) on a Unix domain member, you must enable the
> > > > support in the smb.conf file. To enable extended ACL support
> > > > globally, add the following settings to the [global] section of
> > > > your smb.conf file:"
> > > > 
> > > > I do have a "system that supports NFS4 ACLs" 
> > >
> > > What filesystem is that ?
> > 
> > ext4: 
> > 
> > # tune2fs -l /dev/sda3 | grep attr
> > Filesystem features:      has_journal ext_attr resize_inode dir_index
> > filetype needs_recovery extent 64bit flex_bg sparse_super large_file
> > huge_file dir_nlink extra_isize metadata_csum Default mount options:
> >   user_xattr acl
> > 
> > I believe this means I'm good with NFS4 ACLs. If not, please advise.
> > Doing 'getfacl /redirectedFolders/Users/' does seem to give me the
> > "User > Properties > Security" settings I've set up.
> > 
> > > As far as I am aware, it is only freebsd and freebsd based distros
> > > that have NFS4 acls as standard.
> > >
> > > >so I suppose that means
> > > > I don't have to add the listed settings to smb.conf? The
> > > > instruction say, "To configure shares using ... (ACL) on a Unix
> > > > domain member, you must enable the support in the smb.conf file."
> > > > I'm assuming that "MUST" admonition applies only if you don't
> > > > have a system that supports NFS4 ACLs (but could the Linux system
> > > > even work at all without this support?).
> > >
> > > If you run Samba as a Unix domain member on Linux, then, unless
> > > someone can point out the filesystem with NFS4 ACLS, you need
> > > vfs_acl_xattr
> > >
> > > > 
> > > > Also, if one were to add these lines to smb.conf, would that be to
> > > > the domain member, domain controller, both? My guess would be to
> > > > the domain member only.
> > >
> > > It is built into a DC, so only a Unix domain member.
> > >
> > > Rowland
> > 
> > Cool, so if my Linux/Slackware file system have xattr, I'm good,
> > right?
> > 
> > 
>
> If, on an ext4 filesystem, you add 'vfs objects = acl_xattr' to your
> smb.conf, then Samba will use EA's to store the extended attributes.
> These extended attributes are not NFS4 ACLS and they are used by
> default on Samba AD DCs, so please do not add the 'vfs objects' line to
> a DC without ensuring it lists both of the default options.
>
> Rowland

I'm following up on this because I'm not sure I understand. tune2fs on the DC
shows, ext_attr; Default mount options: user_xattr, acl, although fstab does not
have 'acl' as an option.

So should I add to my DC smb.conf (per
wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)?

vfs objects = acl_xattr
map acl inherit = yes
# the next line is only required on Samba versions less than 4.9.0
store dos attributes = yes

>From the preceeding comments, I think this is NOT for the DC.

When I add a Linux domain member, I do/do-not need to add these to the domain
member's smb.conf? What goes wrong if I don't? If I do add these lines, so I also
have to add 'acl' as a fstab mount option?

Thanks --Mark



More information about the samba mailing list