samba - Sep 2013 - Samba4: where are ACLs stored?

Hi,

most file access rights sync between ACLs of linux and the security tab 
of windows file properties, but not all. Where are the other infos stored?

I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but
neither
output changed when using windows to add individual right for a user 
that already has rights inherited from the parent directory. Windows 
remembers every detail of these changes, even after a reboot, so it must 
be stored somewhere.

I'm concerned that backups might be incomplete when part of the access 
rights are hidden somewhere else. Will 'cp -a' really copy everything?

Thanks,
Klaus

On 9/26/2013 10:12 AM, Klaus Hartnegg wrote:
> Hi,
>
> most file access rights sync between ACLs of linux and the security tab
> of windows file properties, but not all. Where are the other infos stored?
>
> I tried in linux 'getfattr -d' and 'samba-tool ntacl get',
but neither
> output changed when using windows to add individual right for a user
> that already has rights inherited from the parent directory. Windows
> remembers every detail of these changes, even after a reboot, so it must
> be stored somewhere.
>
> I'm concerned that backups might be incomplete when part of the access
> rights are hidden somewhere else. Will 'cp -a' really copy
everything?
>
Under ext4, we mount with "rw,noatime,user_xattr,acl".

http://docs.fedoraproject.org/en-US/Fedora/14/html/Storage_Administration_Guide/ext4mount.html

https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System

https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System

According to the ext4 documentation page, barrier=barrier (a.k.a. 
barrier=1) is the default, but it doesn't hurt to specify it in your 
/etc/fstab file for the file system where your TDB files are stored. 
Use "cat /proc/mounts" to see current file system mount options.

You can check kernel defaults for xattr and ACL support by finding your 
config.gz or config file.  Under CentOS, this is stored in /boot

# grep CONFIG_EXT4_FS /boot/config-2.6.32-358.18.1.el6.x86_64
or
# zgrep CONFIG_EXT4_FS /proc/config.gz

Command to check ACLs:

# getfacl

Command to check xattrs:

# getfattr

...

All that to say my guess is that the ACLs get stored in "acl" ext4
mount
option.

I know that rdiff-backup stores: "preserves subdirectories, hard links, 
dev files, permissions, uid/gid ownership, modification times, extended 
attributes, acls, and resource forks".  So you would need to check that 
your backup software supports both "extended attributes" and
"ACLs".

Hi List, I'm new in the list and with Samba4
I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
Previously I had samba3.6.x installed in my server, the users could
access to /home/(users) as like as users drive (U:) and modify every
thing in theirs drive.

But with Samba4:
- How my users can modify theirs home(eg.User:erick, with home
directory: /home/erick ) in the server, because in this, they can't
modify(Delete, Create, Rename and so so) any thing.
- When the user login in their session how can appear automatically the
drive U: for example with their home files.

My client PC are windows XP sp2 installed with theirs profiles "only
local".

Thanks

	T.I.A.


I provide my "smb.conf" configuration if you could help me.


[global]
	server string = Samba4 Server en NEURODESARROLLO
	workgroup = NEURODCAR
	realm = NEURODCAR.MTZ.SLD.CU
	netbios name = ALFA
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc
	dns forwarder = 10.44.0.10
	logon path = \\%L\profiles\%U
	logon home = \\%N\%U
	logon drive = U:
	domain logons = Yes
	domain master = Yes
	local master = Yes
	preferred master = Yes
	os level = 65
	log level = 3

[homes]
    comment = Home Directories
    valid users = %ACCOUNTNAME%, %S, %D%w%S
    browseable = No
    read only = No

[profiles]
    path = /usr/local/samba/Profiles/
    read only = No

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No

[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
	
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

#######################################

-- 
Jes?s Reyes Piedra
Admin Red Neurodearrollo,C?rdenas

La caja dec?a:"Requiere windows 95 o superior"...
Entonces instal? LINUX.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20130926/679e4b0c/attachment.pgp>

On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:
> Hi,
> 
> most file access rights sync between ACLs of linux and the security tab 
> of windows file properties, but not all. Where are the other infos stored?
> 
> I tried in linux 'getfattr -d' and 'samba-tool ntacl get',
but neither
> output changed when using windows to add individual right for a user 
> that already has rights inherited from the parent directory. Windows 
> remembers every detail of these changes, even after a reboot, so it must 
> be stored somewhere.
> 
> I'm concerned that backups might be incomplete when part of the access 
> rights are hidden somewhere else. Will 'cp -a' really copy
everything?
Can you show me your smb.conf?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org