[Samba] Samba share not quite working on Domain Controller

Mark Foley mfoley at novatec-inc.com
Thu Dec 21 06:29:18 UTC 2023 

On Wed Dec 20 18:04:53 2023 Mark Foley via samba <samba at lists.samba.org> wrote:
>
> on Wed Dec 20 16:32:40 2023 Rowland Penny via samba <samba at lists.samba.org>
> >
> > On Wed, 20 Dec 2023 15:48:43 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > I'm following up on this because I'm not sure I understand. tune2fs
> > > on the DC shows, ext_attr; Default mount options: user_xattr, acl,
> > > although fstab does not have 'acl' as an option.
> > > 
> > > So should I add to my DC smb.conf (per
> > > wiki
> > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)?
> > > 
> > > vfs objects = acl_xattr
> > > map acl inherit = yes
> > > # the next line is only required on Samba versions less than 4.9.0
> > > store dos attributes = yes
> > > 
> > > From the preceeding comments, I think this is NOT for the DC.
> >
> > Well, if you read the big orange box under your wiki page extract, you
> > will find this:
> >
> > On a Samba Active Directory (AD) domain controller (DC), extended ACL
> > support is automatically enabled globally. You must not enable the
> > support manually.
>
> As I suspected, but I wanted to be sure. One can't be too careful setting up
> these DCs! As I said in another post, "sorry to be an idiot".
>
> > Also, your extract is under the heading:
> >
> > Enable Extended ACL Support on a Unix domain member
> >
> > So what do you think ???
> >
> > > 
> > > When I add a Linux domain member, I do/do-not need to add these to
> > > the domain member's smb.conf?
> >
> > If you want to use extended ACLs, then you need to add them.
>
> At the risk of continuing to beat this long-dead horse. Why would I want to use
> "extended ACL"? What do they buy me over "Unix Standard acls"? You're comment
> below parenthesises "(ugo)" which I take to mean the user-group-other rwx
> settings on plain vanilla Unix. The "extended ACLs", I presume, are designated
> by the '+', viewable with getfacl, as in:
>
> drwxrwx---+  6 BUILTIN\administrators users 4096 2019-11-12 18:11 Administrator
>           ^
>
> So, in you opinion, is there any reason I would need these on a Linux domain
> member? If not, I'd rather not mess with something unnecessary/extra. If my
> linux member hosts a Samba share for Windows users to map, would that
> necessitate using the extended ACLs?
>
> I know I can set extended ACLs for my own unix purposes to give special
> permissions to certain users. I'm asking here if there is a need/benefit with
> respect to a Domain Member, or samba share specifically. If not, I'll forget
> about it.
>
> Thanks --Mark
>
> > > What goes wrong if I don't?
> >
> > You can only use the Unix standard acls (ugo).
> >
> > > If I do add
> > > these lines, so I also have to add 'acl' as a fstab mount option?
> >
> > No, 'acl' is one of the ext4 default options.
> >
> > Rowland

No need to respond to this message. After giving it some thought I think I will
want to have extended attributes on the Linux domain members, so I'll go ahead
and configure the 'vfs objects = acl_xattr' lines in the members' smb.conf.

Thanks --Mark

More information about the samba mailing list