[Samba] Fwd: Can Samba just store ACL information (without interpreting it) without AD?

Sat Jan 14 19:58:11 UTC 2023

Hi,

thank you for your reply. A short note for sake of completeness :)

I think I got this working, but the topic is complex and there are
many pitfalls.
I started with "vfs objects = acl_tdb", which simply uses an ordinary
file and thus does not depend on xattrs or anything from file system
(I was not able to get it working with ZFS in a container).
Windows has habits that surprised me (e.g. do not resolve SID in ACE
on remote shares, but the SID are correct; no idea why they are listed
as unknown).

It seems to also helps a lot *for me special case* to make the backup
user an admin user ([share] admin users = [dedicated local backup
accounts]) to avoid tha these accounts cannot read back (or update)
the files they created.

Steffen

On Thu, Jan 12, 2023 at 3:50 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
>
>
> On 12/01/2023 13:54, Steffen Dettmer via samba wrote:
> > Hi,
> >
> > I read several articles on the internet, but I fail to understand how
> > ACL storage technically works. Of course in almost any case, ACL
> > should not only be stored but also evaluated, and for this this Samba
> > server needs to be a member of the AD domain. I think I understand
> > this, but I have a different use case. I hope someone can help and
> > possibly has a link or such.
> >
> > I have a samba instance solely for backups, and there is no need to
> > interpret any ACL. Of course, for security reasons, I do not want a
> > backup server in AD. There is no access from the file system either.
> > No ordinary account shall work, only host-specific access accounts
> > shall be allowed to connect (I created them with smbpasswd). Samba
> > should just keep the ACL information, but in no way interpret it. A
> > possible restore would be done through the network, so Samba should
> > "return" the previously stored ACL/security information. To allow
> > simple file-based incremental backups, no archive format is used (but
> > preferably robocopy.exe).
> >
> > Is this possible? Is it possible to configure a Samba server capable
> > of storing ACLs lossless without being a domain member?
> >
> > So I would like to robocopy files with complex ACLs to this instance
> > and from there back to a domain member and see the same complex ACLs.
> >
> > I spent some hours reading and trying, but I did not get it working
> > and any hint is appreciated!
> >
> > I have another backup target, some QNAP NAS system (I assume it is
> > using Samba as well). This also does not support storing ACL security
> > information, but it behaves differently. A script copies data with
> > robocopy and the following options:
> >
> > /E /COPY:DAT /PURGE /IA:RASHNTCEO /X /R:0 /W:0 /NP /TEE /FFT %ZPAR%
> > /LOG+:%log%
> >
> > When I do the same to my Samba, I get a lot of "ERROR 5 (0x00000005)
> > Changing File Attributes" errors.
> >
> > I run Samba on ZFS on Linux in a container, Proxmox based. xattrs seem to work:
> >
> > root at nas2:/mp0/storage/backup# touch userattr
> > root at nas2:/mp0/storage/backup# setfattr -n user.steffen -v washere userattr
> > # file: userattr
> > user.steffen="washere"
> >
> > but not for security:
> >
> > root at nas2:/mp0/storage/backup# touch secattr
> > root at nas2:/mp0/storage/backup# setfattr -n security.NTACL -v 1 secattr
> > setfattr: secattr: Operation not permitted
> >
> > (the same works on the proxmox host; the container is not privileged).
> > Because of "acl_xattr:ignore system acls", I think "security.*" fattrs
> > won't be used but something like "user.samba...." or so.
> >
> > NB: On file systems, permissions and ACLs do not need to work, there
> > is no access to filesystem, neither host nor guest, only via Samba.
> > Only the remote client (robocopy.exe) should be able to correctly copy
> > the values back.
> >
> >
>
> I do not think you can do this, storing ACL's is to a certain extent
> dependant on being able to 'evaluate' them. I think that if you were to
> copy anything to a standalone server, you would have to do it as a user
> known to the standalone server and the files would then belong to that
> user i.e. you would lose the ACL's.
>
> The only way around this, that I can think off, would be to compress the
> backup into a tarball and copy this across, whilst the tarball would end
> up belonging to your backup user, the files inside it should still have
> your ACL's.
>
> Of course it is possible that someone will say that they have been doing
> it for years and this is how you do it ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba