[Samba] Fwd: Can Samba just store ACL information (without interpreting it) without AD?
steffen.dettmer+samba at gmail.com
Thu Jan 12 13:54:40 UTC 2023
I read several articles on the internet, but I fail to understand how
ACL storage technically works. Of course in almost any case, ACL
should not only be stored but also evaluated, and for this this Samba
server needs to be a member of the AD domain. I think I understand
this, but I have a different use case. I hope someone can help and
possibly has a link or such.
I have a samba instance solely for backups, and there is no need to
interpret any ACL. Of course, for security reasons, I do not want a
backup server in AD. There is no access from the file system either.
No ordinary account shall work, only host-specific access accounts
shall be allowed to connect (I created them with smbpasswd). Samba
should just keep the ACL information, but in no way interpret it. A
possible restore would be done through the network, so Samba should
"return" the previously stored ACL/security information. To allow
simple file-based incremental backups, no archive format is used (but
Is this possible? Is it possible to configure a Samba server capable
of storing ACLs lossless without being a domain member?
So I would like to robocopy files with complex ACLs to this instance
and from there back to a domain member and see the same complex ACLs.
I spent some hours reading and trying, but I did not get it working
and any hint is appreciated!
I have another backup target, some QNAP NAS system (I assume it is
using Samba as well). This also does not support storing ACL security
information, but it behaves differently. A script copies data with
robocopy and the following options:
/E /COPY:DAT /PURGE /IA:RASHNTCEO /X /R:0 /W:0 /NP /TEE /FFT %ZPAR%
When I do the same to my Samba, I get a lot of "ERROR 5 (0x00000005)
Changing File Attributes" errors.
I run Samba on ZFS on Linux in a container, Proxmox based. xattrs seem to work:
root at nas2:/mp0/storage/backup# touch userattr
root at nas2:/mp0/storage/backup# setfattr -n user.steffen -v washere userattr
# file: userattr
but not for security:
root at nas2:/mp0/storage/backup# touch secattr
root at nas2:/mp0/storage/backup# setfattr -n security.NTACL -v 1 secattr
setfattr: secattr: Operation not permitted
(the same works on the proxmox host; the container is not privileged).
Because of "acl_xattr:ignore system acls", I think "security.*" fattrs
won't be used but something like "user.samba...." or so.
NB: On file systems, permissions and ACLs do not need to work, there
is no access to filesystem, neither host nor guest, only via Samba.
Only the remote client (robocopy.exe) should be able to correctly copy
the values back.
Any hints appreciated!
Thanks and best regards,
workgroup = bakwg3
; interfaces = 10.221.12.0/24 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
log level = 1 auth_audit:3
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
map to guest = bad user
usershare allow guests = no
vfs objects = acl_xattr
map acl inherit = yes
server signing = auto
client signing = auto
acl_xattr:ignore system acls = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
map acl inherit = yes
nt acl support = yes
# desperate attempt without effect:
ntlm auth = yes
comment = Storage Space (simulating NAS)
path = /mp0/storage/backup
browseable = no
guest ok = no
read only = no
create mask = 0600
directory mask = 0600
valid users = [dedicated local backup accounts]
More information about the samba