samba - Apr 2022 - samba share not allowing owner of folder

On Mon, 2022-04-11 at 12:30 +0200, maillists_samba--- via samba
wrote:
> How to allow the owner of a folder that is shared access to that
> share?
> 
> I have;
> 
> Samba version 4.13.13-Debian
> 
> # testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
> Server role: ROLE_STANDALONE
> 
> ----------
> # Global parameters
> [global]
>          log file = /var/log/samba/log.%m
>          logging = file
>          map to guest = Bad User
>          max log size = 1000
>          obey pam restrictions = Yes
>          pam password change = Yes
>          panic action = /usr/share/samba/panic-action %d
>          passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>          passwd program = /usr/bin/passwd %u
>          server role = standalone server
>          unix password sync = Yes
>          usershare allow guests = Yes
>          idmap config * : backend = tdb
> 
> [proxmox-trx40]
>          comment = Aiii
>          inherit permissions = Yes
>          path = /{redacted}/hypervisors/proxmox/trx40_1
>          read only = No
>          valid users = proxmox
> 
> ----------
> 
> ls -l /{redacted}/
> 
> drwxrwx---+  3 proxmox proxmox    3 Mar 24 18:04  hypervisors
On the face of it, only 'proxmox' and members of the 'proxmox'
group
can enter the hypervisors directory, but notice the '+' on the end of
the permissions, this means that you have extended ACLs set. However
you are missing a parameter in the smb.conf global section.

Add 'vfs objects = acl_xattr' to smb.conf, restart Samba and then read
up on 'setfacl' and 'getfacl'.

Rowland

In the meantime I have added the
vfs objects = acl_xattr
  to the global section

I changed the chmod to 770 recursivly
I changed the owner (chown) to root:root recursivly
I added the proxmox user to the acl using setfacl

I am still failing ;( What am I missing?

# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_STANDALONE

# Global parameters
[global]
	log file = /var/log/samba/log.%m
	logging = file
	map to guest = Bad User
	max log size = 1000
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	server role = standalone server
	unix password sync = Yes
	idmap config * : backend = tdb
	vfs objects = acl_xattr

[proxmox-trx40]
	comment = Aiii
	inherit permissions = Yes
	path = /{redacted}/hypervisors/proxmox/trx40_1
	read only = No
	valid users = master proxmox

ls -l /{redacted}/
drwxrwx---+  3 root   root      3 Mar 24 18:04  hypervisors

getfacl hypervisors
# file: hypervisors
# owner: root
# group: root
user::rwx
user:master:rwx
user:proxmox:rwx
group::rwx
mask::rwx
other::---

smbclient "\\\\{redacted}\\proxmox-trx40" -U proxmox
Enter WORKGROUP\proxmox's password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>


On 11-04-2022 13:02, Rowland Penny via samba wrote:
> On Mon, 2022-04-11 at 12:30 +0200, maillists_samba--- via samba wrote:
>> How to allow the owner of a folder that is shared access to that
>> share?
>> 
>> I have;
>> 
>> Samba version 4.13.13-Debian
>> 
>> # testparm -s
>> Load smb config files from /etc/samba/smb.conf
>> Loaded services file OK.
>> Weak crypto is allowed
>> Server role: ROLE_STANDALONE
>> 
>> ----------
>> # Global parameters
>> [global]
>>          log file = /var/log/samba/log.%m
>>          logging = file
>>          map to guest = Bad User
>>          max log size = 1000
>>          obey pam restrictions = Yes
>>          pam password change = Yes
>>          panic action = /usr/share/samba/panic-action %d
>>          passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>          passwd program = /usr/bin/passwd %u
>>          server role = standalone server
>>          unix password sync = Yes
>>          usershare allow guests = Yes
>>          idmap config * : backend = tdb
>> 
>> [proxmox-trx40]
>>          comment = Aiii
>>          inherit permissions = Yes
>>          path = /{redacted}/hypervisors/proxmox/trx40_1
>>          read only = No
>>          valid users = proxmox
>> 
>> ----------
>> 
>> ls -l /{redacted}/
>> 
>> drwxrwx---+  3 proxmox proxmox    3 Mar 24 18:04  hypervisors
> 
> On the face of it, only 'proxmox' and members of the
'proxmox' group
> can enter the hypervisors directory, but notice the '+' on the end
of
> the permissions, this means that you have extended ACLs set. However
> you are missing a parameter in the smb.conf global section.
> 
> Add 'vfs objects = acl_xattr' to smb.conf, restart Samba and then
read
> up on 'setfacl' and 'getfacl'.
> 
> Rowland