thr3ads.net - samba - [Samba] Is it possible to 'getfacl' on a mounted samba share ? [Jan 2021]

If this information is useful, please help other people find it:
Share via:

Nicola Mingotti

2021-Jan-24 16:30 UTC

[Samba] Is it possible to 'getfacl' on a mounted samba share ?

Hi,

I have installed a Samba DC and a Samba based NAS to feed
a mainly Windows computer network. It is all working very well.

I am implementing the backup system right now and I found a problem with 
permissions
when working from Linux on the Samba shared directories.

If i run "getfacl" and "setfacl"
from the machine exporting the Samba disk it all works as expected. ok.

I can see all files permission from Windows computers mounting the Samba 
share. ok.

But, If I try to run "getfacl" from a linux machine mounting the
samba share I can't seen anything. Is it normal?

I mount the Samba share in Linux like this
---- /etc/fstab -----------------------------------
//nas.borghi.lan/sambaDisk/DiscoS/??? /mnt/discoR?? cifs 
cifsacl,credentials=/usr/local/etc/discoR.credentials??? 0??? 0
---------------------------------------------------
#> sudo mount /mnt/discoR

My /etc/samba/smb.conf is at the end of message.

I thought maybe it was because my linux box doesn't know about
AD users. So I made a test also from a Linux machine who joined
the Windows domain. No differences. I can't 'getfacl' at all.

Am i missing something fundamental? It maybe so, it is the first
time I am working seriously with Samba.

bye
Nicola



----- /etc/samba/smb.conf -----------------

# please ignore my comments, especially if in Italian.

[global]
 ?? workgroup = WINDOM
 ?? security = ADS
 ?? realm = WINDOM.BORGHI.LAN

 ?? # per le windows ACL
 ?? winbind refresh tickets = Yes
 ?? vfs objects = acl_xattr
 ?? map acl inherit = Yes
 ?? store dos attributes = Yes

 ?? dedicated keytab file = /etc/krb5.keytab
 ?? kerberos method = secrets and keytab

 ?? # rimuovere dopo il testing
 ?? winbind enum users = yes
 ?? winbind enum groups = yes

 ?? # disable printing
 ?? load printers = no
 ?? printing = bsd
 ?? printcap name = /dev/null
 ?? disable spoolss = yes

 ?? # logs
 ?? # log file = /var/log/samba/%m.log
 ?? # log level = 1
 ?? log file = /var/log/samba/samba.log
 ?? # log file = /var/log/samba/perPersonOrMachine/%U.log
 ?? # log level = 1 smb:2 smb2:3
 ?? # log level = 2 smb:2 smb2:2 vfs:9
 ?? log level = 2 smb:2 smb2:2
 ?? # . certo di gestirlo con logrotate
 ?? # max file size 100 mega, si spera che logrotate lo tagli prima
 ?? max log size = 100000

 ?? # ---- ID mapping backend rid -------
 ?? # Default ID mapping configuration for local BUILTIN accounts
 ?? # and groups on a domain member. The default (*) domain:
 ?? # - must not overlap with any domain ID mapping configuration!
 ?? # - must use a read-write-enabled back end, such as tdb.
 ?? idmap config * : backend = tdb
 ?? idmap config * : range = 3000-7999
 ?? # - You must set a DOMAIN backend configuration
 ?? # idmap config for the SAMDOM domain
 ?? idmap config WINDOM : backend = rid
 ?? idmap config WINDOM : range = 10000-999999

 ?? # Template settings for login shell and home directory
 ?? template shell = /bin/bash
 ?? template homedir = /home/WINDOM-%U

 ?? # mappare "Administrator" a "root"
 ?? username map = /usr/local/samba/etc/user.map

# directory che funge da disco in condivisione
[sambaDisk]
 ?????? path = /mnt/sambaShared/sambaDisk
 ?????? read only = no
 ?????? # --- mask di default per gli utenti
 ?????? create mask = 777
 ?????? directory mask = 777
 ?????? # -- cosa succede se un'utente se ne va ?
 ?????? #??? meglio assicurarsi che non ci siano problemi fissando
 ?????? #??? un default user e gruppo per tutti i file.
 ?????? #??? (*) vale per i client windows. Non vale per Linux. Per Mac ?
 ?????? # => DISABILITATO, perche' nei log non vedo piu' chi apre i 
files, solo "root", ovunque
 ?????? # force user = root
 ?????? # force group = adm
 ?????? # inherit permissions = true
 ?????? # ---- carica moduli che servono
 ?????? # vfs objects = full_audit shadow_copy2
 ?????? vfs objects = shadow_copy2
 ?????? # -------------------------------
 ?????? # --- per l'audit ---------------
 ?????? # . disattivato, per issues con i log che non ripartono
 ?????? #?? posso leggere gli accessi in lettura/scrittura ai files sui 
log di default.
 ?????? # opendir: troppi output, viene lette in automatico
 ?????? # questi non capisco cosa fanno: read write pread pwrite
 ?????? # full_audit:prefix = %u|%I
 ?????? # full_audit:success = open
 ?????? # full_audit:failure = all
 ?????? # full_audit:facility = LOCAL5
 ?????? # --------------------------------
 ?????? # ---- per le shadow copies ------
 ?????? shadow:snapdir = /mnt/sambaShared/snapshots
 ?????? shadow:basedir = /mnt/sambaShared/sambaDisk
 ?????? shadow:sort = desc

----------------------------------------------------------------

Rowland penny

2021-Jan-24 17:02 UTC

head link

[Samba] Is it possible to 'getfacl' on a mounted samba share ?

On 24/01/2021 16:30, Nicola Mingotti via samba wrote:> Hi,
>
> I have installed a Samba DC and a Samba based NAS to feed
> a mainly Windows computer network. It is all working very well.
>
> I am implementing the backup system right now and I found a problem 
> with permissions
> when working from Linux on the Samba shared directories.
>
> If i run "getfacl" and "setfacl"
> from the machine exporting the Samba disk it all works as expected. ok.
>
> I can see all files permission from Windows computers mounting the 
> Samba share. ok.
>
> But, If I try to run "getfacl" from a linux machine mounting the
> samba share I can't seen anything. Is it normal?

You have turned ACL's off on the 'sambaDisk' share by setting
'vfs
objects = acl_xattr' in global and then 'vfs objects = shadow_copy2'
in
the share, try setting 'vfs objects = shadow_copy2 acl_xattr' in global 
(where it will affect all shares) or in the share (where it will just 
affect the share).

Rowland

Ralph Boehme

2021-Jan-25 10:11 UTC

head link

[Samba] Is it possible to 'getfacl' on a mounted samba share ?

Ho!

Am 1/24/21 um 5:30 PM schrieb Nicola Mingotti via samba:> But, If I try to run "getfacl" from a linux machine mounting the
> samba share I can't seen anything. Is it normal?
I guess that only works with SMB1 and UNIX extensions as it is built on 
being able to query native POSIX ACL over the wire. It probably doesn't 
support querying native NT ACL and showing it as POSIX ACL (for good 
reasons as the mapping is lossy).

Aurelien, am I right?

Cheers!
-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210125/75212a7e/OpenPGP_signature.sig>

samba - Jan 2021 - Is it possible to 'getfacl' on a mounted samba share ?

[Samba] Is it possible to 'getfacl' on a mounted samba share ?

[Samba] Is it possible to 'getfacl' on a mounted samba share ?

[Samba] Is it possible to 'getfacl' on a mounted samba share ?