Another question referring to a Samba domain member file server. The file system is ext4 on an Ubuntu 20.04. I would like to use Windows ACLs so my windows users can change permissions on directories/files, but we also use linux data processing systems, so the permissions (beyond POSIX basic) need to work there, too. I think this means I'm stuck using POSIX extended ACLs, with Windows users not being able to change permissions. Just want to make sure I understand all the possibilities: Currently the linux systems access files through NFS mounts, so no hope of Windows ACLs working there, but if I were to bind the linux machines to the domain and do the mounts through SMB, would the linux systems respect the Windows ACL authorizations because permission is determined by the Samba file server? Understood that I would lose the ability to edit ACLs from linux, but the linux users are really Windows users working on a linux system because that's where the software is and they have no idea how to edit permissions there anyway. Beyond this, if I'm working directly on the Samba file server, are there command line tools available for editing Windows ACLs, or is this sufficiently complicated that only a GUI will do? The conjunction of linux and windows access control is a terrible mess, as already discussed, but the world doesn't stop moving as a result, so we will continue to cobble together bastardized arrangements that mostly work. I'm at the Build a Frankenstein shop now...
On Tue, Nov 02, 2021 at 04:49:01AM -0500, Patrick Goetz via samba wrote:> >Another question referring to a Samba domain member file server. > >The file system is ext4 on an Ubuntu 20.04. > >I would like to use Windows ACLs so my windows users can change >permissions on directories/files, but we also use linux data >processing systems, so the permissions (beyond POSIX basic) need to >work there, too. > >I think this means I'm stuck using POSIX extended ACLs, with Windows >users not being able to change permissions. Just want to make sure I >understand all the possibilities:No, Samba will map Windows permission in a best-effort case to POSIX ACLs. It can also keep a copy of the pristine Windows ACL in an EA associated with the file so access via Windows clients is mediated by the same Windows ACL algorithm used on a Windows server.>Currently the linux systems access files through NFS mounts, so no >hope of Windows ACLs working there, but if I were to bind the linux >machines to the domain and do the mounts through SMB, would the linux >systems respect the Windows ACL authorizations because permission is >determined by the Samba file server?Yes. Samba obeys the pristine Windows ACLs before delegating to the underlying filesystem - i.e. if a Windows ACL says deny, we deny. If a Windows ACL says "allow", we are still bound by the underlying POSIX ACL mapping on ext4 so it's possible you may get a missmatch and a "deny" when the Windows ACL would expect "allow". But this is failing safe, not failing open, which is what you want.> Understood that I would lose the >ability to edit ACLs from linux, but the linux users are really >Windows users working on a linux system because that's where the >software is and they have no idea how to edit permissions there >anyway.Linux users can use the smbcacls binary to edit Windows ACLs on a remote server.>Beyond this, if I'm working directly on the Samba file server, are >there command line tools available for editing Windows ACLs, or is >this sufficiently complicated that only a GUI will do?smbcacls.>The conjunction of linux and windows access control is a terrible >mess, as already discussed, but the world doesn't stop moving as a >result, so we will continue to cobble together bastardized >arrangements that mostly work. I'm at the Build a Frankenstein shop >now..."Puttin' on the Ritz !": https://www.youtube.com/watch?v=ab7NyKw0VYQ
Mandi! Patrick Goetz via samba In chel di` si favelave... I'm using POSIX ACL, and as Jeremy say, permission works; i've only code some script to 'sanitize' permissione to prevent bed behaviour (eg, in 'ugo' permsision 'g' is also the default mask for applying ACL, so you have to set explicitly the mask or set 'g' to '7'). Only a note:> Currently the linux systems access files through NFS mounts, so no hopeBut consider also that NFSv3 have a limited amount of POSIX ACL that can manage (the protocol have a limited 'room' for ACL, so if you set very complex ACL on some object, you could have 'truncated' ACL n nfs mounted share). You can switch to NFSv4, but ACL are different things (rather still supported by samba). Currently i'm using CIFS also in UNIX... -- The number of UNIX installations has grown to 10, with more expected. (_The UNIX Programmer's Manual_, Second Edition, June 1972)
why don't you use pam-mount for the Linux-clients? If they are in the domain it works fine, and you won't have problems with the permission Am 02.11.21 um 10:49 schrieb Patrick Goetz via samba:> > Another question referring to a Samba domain member file server. > > The file system is ext4 on an Ubuntu 20.04. > > I would like to use Windows ACLs so my windows users can change > permissions on directories/files, but we also use linux data processing > systems, so the permissions (beyond POSIX basic) need to work there, too. > > I think this means I'm stuck using POSIX extended ACLs, with Windows > users not being able to change permissions. Just want to make sure I > understand all the possibilities: > > Currently the linux systems access files through NFS mounts, so no hope > of Windows ACLs working there, but if I were to bind the linux machines > to the domain and do the mounts through SMB, would the linux systems > respect the Windows ACL authorizations because permission is determined > by the Samba file server? Understood that I would lose the ability to > edit ACLs from linux, but the linux users are really Windows users > working on a linux system because that's where the software is and they > have no idea how to edit permissions there anyway. > > Beyond this, if I'm working directly on the Samba file server, are there > command line tools available for editing Windows ACLs, or is this > sufficiently complicated that only a GUI will do? > > The conjunction of linux and windows access control is a terrible mess, > as already discussed, but the world doesn't stop moving as a result, so > we will continue to cobble together bastardized arrangements that mostly > work.? I'm at the Build a Frankenstein shop now... > >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html