[Samba] How to set up a simple file server with full ACL support?

Rowland Penny rpenny at samba.org
Fri May 24 10:26:41 UTC 2024 

On Fri, 24 May 2024 20:58:02 +1200
Andrew Bartlett via samba <samba at lists.samba.org> wrote:

> On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote:
> > On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba
> > wrote:
> > > After 23 years answering questions here, I figure it might be time
> > > for
> > > me to ask one.
> > > 
> > > As mentioned here:
> > > https://lists.samba.org/archive/samba-technical/2024-May/138969.html
> > >  I
> > > am working with a client to improve a Go SMB client library.
> > > 
> > > They want to manipulate ACLs on SMB, which is a very reasonable
> > > thing
> > > to want to do.
> > > 
> > > What we had a lot of trouble with is simply setting Samba up as a
> > > standalone fileserver able to accept arbitrary NT ACL changes.
> > > ..
> > > However, despite connecting as root (within a docker container),
> > > we just get ACL errors that seem to be from Samba checking and
> > > failing against some existing (mapped) presumably ACL.
> > > 
> > > I don't have the exact error strings to hand (was on the client's
> > > dev
> > > box) but I've been asked to provide a working set of steps to get
> > > arbitrary windows ACLs working on modern standalone Samba server.
> > 
> > My guess would be docker container issues.
> > 
> > Try setting up a bog-standard stand-alone fileserver (not on docker)
> > - no containerization, just using local users and NTLM auth.
> > 
> > Get ACL then set with smbcacls.
> 
> Thanks so much.  It works with a real VM, and fails on the Docker
> image.
> 
> The difference in the returned ACL, being the default created by a
> root user uploaded with smbclient is:
> 
> (VM) O:S-1-5-21-453318200-1757343522-2642056891-1000G:S-1-5-21-
> 453318200-1757343522-2642056891-513D:(A;;FA;;;S-1-5-21-453318200-
> 1757343522-2642056891-1000)(A;;0x1200a9;;;S-1-5-21-453318200-
> 1757343522-2642056891-513)(A;;0x1200a9;;;WD)

Hi Andrew, just a question, you said that you were setting up a
standalone server, so how have you got the RID for Domain Users ?

Rowland

> 
> (Docker) O:S-1-5-21-1647377796-1824335532-2881770359-1000G:S-1-22-2-
> 0D:(A;;FA;;;S-1-5-21-1647377796-1824335532-2881770359-
> 1000)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;S-1-22-2-0)(A;;FA;;;S-1-
> 5-21-1647377796-1824335532-2881770359-1000)(A;;0x1200a9;;;WD)
> 
> Both are Samba master built from source on Debian 12.
> 
> It is a pity, both because Samba should work better in Docker, and
> because for a bit of testing a docker container is so much easier to
> manage.  I've become so used to jumping into an ephemral container
> that setting up a real VM was actually quite a pain.
> 
> Anyway, between this and my earlier complaint I've decided to put my
> hand to the file-server and make up a MR that will give better error
> messages and help us all trace errors better by passing better failure
> line numbers.  
> 
> Andrew Bartlett
>

More information about the samba mailing list