[Samba] How to set up a simple file server with full ACL support?

Andrew Bartlett abartlet at samba.org
Fri May 24 08:58:02 UTC 2024 

On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote:
> On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba
> wrote:
> > After 23 years answering questions here, I figure it might be time
> > for
> > me to ask one.
> > 
> > As mentioned here:
> > https://lists.samba.org/archive/samba-technical/2024-May/138969.html
> >  I
> > am working with a client to improve a Go SMB client library.
> > 
> > They want to manipulate ACLs on SMB, which is a very reasonable
> > thing
> > to want to do.
> > 
> > What we had a lot of trouble with is simply setting Samba up as a
> > standalone fileserver able to accept arbitrary NT ACL changes.
> > ..
> > However, despite connecting as root (within a docker container), we
> > just get ACL errors that seem to be from Samba checking and failing
> > against some existing (mapped) presumably ACL.
> > 
> > I don't have the exact error strings to hand (was on the client's
> > dev
> > box) but I've been asked to provide a working set of steps to get
> > arbitrary windows ACLs working on modern standalone Samba server.
> 
> My guess would be docker container issues.
> 
> Try setting up a bog-standard stand-alone fileserver (not on docker)
> - no containerization, just using local users and NTLM auth.
> 
> Get ACL then set with smbcacls.

Thanks so much.  It works with a real VM, and fails on the Docker
image.

The difference in the returned ACL, being the default created by a root
user uploaded with smbclient is:

(VM) O:S-1-5-21-453318200-1757343522-2642056891-1000G:S-1-5-21-
453318200-1757343522-2642056891-513D:(A;;FA;;;S-1-5-21-453318200-
1757343522-2642056891-1000)(A;;0x1200a9;;;S-1-5-21-453318200-
1757343522-2642056891-513)(A;;0x1200a9;;;WD)

(Docker) O:S-1-5-21-1647377796-1824335532-2881770359-1000G:S-1-22-2-
0D:(A;;FA;;;S-1-5-21-1647377796-1824335532-2881770359-
1000)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;S-1-22-2-0)(A;;FA;;;S-1-
5-21-1647377796-1824335532-2881770359-1000)(A;;0x1200a9;;;WD)

Both are Samba master built from source on Debian 12.

It is a pity, both because Samba should work better in Docker, and
because for a bit of testing a docker container is so much easier to
manage.  I've become so used to jumping into an ephemral container that
setting up a real VM was actually quite a pain.

Anyway, between this and my earlier complaint I've decided to put my
hand to the file-server and make up a MR that will give better error
messages and help us all trace errors better by passing better failure
line numbers.  

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list