[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
Peter Milesson
miles at atmos.eu
Sat Jan 14 17:22:26 UTC 2023
On 14.01.2023 16:39, Rowland Penny via samba wrote:
>
>
> On 14/01/2023 14:45, Peter Milesson via samba wrote:
>> Hi folks,
>>
>> Presently I have got an ageing Samba member server (4.10.16) under
>> CentOS 7.9, so, I'm setting up a new Samba member server to replace
>> the old server. I have made an initial installation with Debian
>> Bookworm, as I want to keep at least Samba fairly up to date.
>
> You are now ahead on the OS (bookworm hasn't been released yet).
>>
>> It's a small Samba based domain (Louis' packages 4.15.7)
>
> And behind with Samba, the latest is 4.17.4
> I also cannot recommend using Louis's repo, it hasn't been updated for
> quite sometime and it might never be updated again.
> I suggest that you use Debian Bullseye and Samba from backports, this
> will get you Samba 4.17.4
>
> with about 15
>> users and a few Windows based production machine controllers. There
>> are several groups, where almost everybody has got a specific mix of
>> access permissions to different shares. Mostly, a specific group has
>> got full permissions on a share, and I want to keep inheritance
>> through Windows ACLs, unless otherwise set up for specific folders
>> inside that share. Except for data shares, there are user profiles
>> (using folder redirection) stored on the old server and they are also
>> going to be migrated to the new box. The domain is mostly managed
>> with Microsoft's RSAT tools (users/machines/shares/GPOs). There are
>> no Linux users and will never be, except administrative user accounts
>> for common Linux administration tasks.
>
> You are a bit wrong there, because you are using the 'rid' idmap
> backend, all your AD users will be Linux users.
>
>>
>> I want the shares in the new server to have maximum possible Windows
>> server compatibility to minimize quirks and non standard behavior. So
>> I kindly ask the list for comments on my configuration.
>
> As you have only Windows clients, I suggest you set the permissions
> from Windows, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> and here:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Because of the above, I would remove a few lines from your smb.conf:
>
> acl group control = yes
> inherit owner = windows and linux
> inherit acls = yes
>
> When creating your shares, only add the lines shown in the links above.
>
>
Hi Rowland,
Thanks for the input.
The DC with Louis' packages will be next in line for replacement. I have
noticed there have not been any updates for quite a while.
I wasn't aware that the rid backend makes all AD users Linux users. It
is definitely not clear from the Wiki. Will it pose a problem with
compatibility on Windows workstations when accessing the shares? Will
there be any limitations, or otherwise crippled behavior? Anyway, there
will be no access allowed to the server outside Samba, except for Linux
administration tasks. Is there a simple way to migrate to ad backend
from rid? Otherwise I see a daunting task before me setting new
permissions on everything according to each user's permission mix.
So the two lines
vfs objects = acl_xattr
map acl inherit = yes
are actually sufficient for getting the best Windows server
compatibility, without the other options?
I have never used anything else than the RSAT tools (AD, DNS, GPO) to
manage the share permissions on the existing server. I have no intention
to use anything else on the new server, unless absolutely required.
About setting up the profile share, I would very much try to avoid using
roaming user profiles. I have been using folder redirection for quite
some years, and it is definitely much more efficient than roaming
profiles. There are quite a few users that insist in cluttering their
desktops with 10's of GB of files, even if I tell them 500 times, that
they shouldn't be surprised that it takes several minutes before they
are logged in. With folder redirection that problem is gone.
Best regards,
Peter
More information about the samba
mailing list