[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility

Peter Milesson miles at atmos.eu
Sat Jan 14 17:22:26 UTC 2023 


On 14.01.2023 16:39, Rowland Penny via samba wrote:
>
>
> On 14/01/2023 14:45, Peter Milesson via samba wrote:
>> Hi folks,
>>
>> Presently I have got an ageing Samba member server (4.10.16) under 
>> CentOS 7.9, so, I'm setting up a new Samba member server to replace 
>> the old server. I have made an initial installation with Debian 
>> Bookworm, as I want to keep at least Samba fairly up to date.
>
> You are now ahead on the OS (bookworm hasn't been released yet).
>>
>> It's a small Samba based domain (Louis' packages 4.15.7)
>
> And behind with Samba, the latest is 4.17.4
> I also cannot recommend using Louis's repo, it hasn't been updated for 
> quite sometime and it might never be updated again.
> I suggest that you use Debian Bullseye and Samba from backports, this 
> will get you Samba 4.17.4
>
>  with about 15
>> users and a few Windows based production machine controllers. There 
>> are several groups, where almost everybody has got a specific mix of 
>> access permissions to different shares. Mostly, a specific group has 
>> got full permissions on a share, and I want to keep inheritance 
>> through Windows ACLs, unless otherwise set up for specific folders 
>> inside that share. Except for data shares, there are user profiles 
>> (using folder redirection) stored on the old server and they are also 
>> going to be migrated to the new box. The domain is mostly managed 
>> with Microsoft's RSAT tools (users/machines/shares/GPOs). There are 
>> no Linux users and will never be, except administrative user accounts 
>> for common Linux administration tasks.
>
> You are a bit wrong there, because you are using the 'rid' idmap 
> backend, all your AD users will be Linux users.
>
>>
>> I want the shares in the new server to have maximum possible Windows 
>> server compatibility to minimize quirks and non standard behavior. So 
>> I kindly ask the list for comments on my configuration.
>
> As you have only Windows clients, I suggest you set the permissions 
> from Windows, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> and here:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Because of the above, I would remove a few lines from your smb.conf:
>
>    acl group control = yes
>    inherit owner = windows and linux
>    inherit acls = yes
>
> When creating your shares, only add the lines shown in the links above.
>
>
Hi Rowland,

Thanks for the input.

The DC with Louis' packages will be next in line for replacement. I have 
noticed there have not been any updates for quite a while.

I wasn't aware that the rid backend makes all AD users Linux users. It 
is definitely not clear from the Wiki. Will it pose a problem with 
compatibility on Windows workstations when accessing the shares? Will 
there be any limitations, or otherwise crippled behavior? Anyway, there 
will be no access allowed to the server outside Samba, except for Linux 
administration tasks. Is there a simple way to migrate to ad backend 
from rid? Otherwise I see a daunting task before me setting new 
permissions on everything according to each user's permission mix.

So the two lines

    vfs objects = acl_xattr
    map acl inherit = yes

are actually sufficient for getting the best Windows server 
compatibility, without the other options?

I have never used anything else than the RSAT tools (AD, DNS, GPO) to 
manage the share permissions on the existing server. I have no intention 
to use anything else on the new server, unless absolutely required.

About setting up the profile share, I would very much try to avoid using 
roaming user profiles. I have been using folder redirection for quite 
some years, and it is definitely much more efficient than roaming 
profiles. There are quite a few users that insist in cluttering their 
desktops with 10's of GB of files, even if I tell them 500 times, that 
they shouldn't be surprised that it takes several minutes before they 
are logged in. With folder redirection that problem is gone.

Best regards,

Peter

More information about the samba mailing list