Mark Foley
2023-Dec-18 01:16 UTC
[Samba] Samba share not quite working on Domain Controller
on Sun Dec 17 12:15:28 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Sun, 17 Dec 2023 11:50:18 -0500 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > Spindles7, Thanks. my cloning the permissions from sysvol was > > temporary ... just in case, and to verify I could open Users > > > Properties > Security. I did set the actual Security to what you > > have listed using notes from my previous DC setup. I didn't put > > those step into my post; as I mentioned, the story wasn't finished > > with that message. > > > > The wiki > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > talks about Shares generally, but doesn't specifically mention > > 'Redirected Folders'. Maybe that wiki is sufficient; I didn't examine > > in detail. > > Possibly because there is a separate page for Redirected Folders: > > https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_RedirectionsGreat! Thanks. I've made a note of this and will review.> > > > One thing I'm wondering about, that wiki has instructions to "Enable > > Extended ACL Support on a Unix domain member" as follows: > > > > "Ideally you have a system that supports NFS4 ACLs. The following > > example is for systems like Linux, where you don't have those kind of > > ACLs. To configure shares using extended access control lists (ACL) > > on a Unix domain member, you must enable the support in the smb.conf > > file. To enable extended ACL support globally, add the following > > settings to the [global] section of your smb.conf file:" > > > > I do have a "system that supports NFS4 ACLs" > > What filesystem is that ?ext4: # tune2fs -l /dev/sda3 | grep attr Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent 64bit flex_bg sparse_super large_file huge_file dir_nlink extra_isize metadata_csum Default mount options: user_xattr acl I believe this means I'm good with NFS4 ACLs. If not, please advise. Doing 'getfacl /redirectedFolders/Users/' does seem to give me the "User > Properties > Security" settings I've set up.> As far as I am aware, it is only freebsd and freebsd based distros that > have NFS4 acls as standard. > > >so I suppose that means > > I don't have to add the listed settings to smb.conf? The instruction > > say, "To configure shares using ... (ACL) on a Unix domain member, > > you must enable the support in the smb.conf file." I'm assuming that > > "MUST" admonition applies only if you don't have a system that > > supports NFS4 ACLs (but could the Linux system even work at all > > without this support?). > > If you run Samba as a Unix domain member on Linux, then, unless someone > can point out the filesystem with NFS4 ACLS, you need vfs_acl_xattr > > > > > Also, if one were to add these lines to smb.conf, would that be to > > the domain member, domain controller, both? My guess would be to the > > domain member only. > > It is built into a DC, so only a Unix domain member. > > RowlandCool, so if my Linux/Slackware file system have xattr, I'm good, right?
Rowland Penny
2023-Dec-18 08:22 UTC
[Samba] Samba share not quite working on Domain Controller
On Sun, 17 Dec 2023 20:16:23 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> on Sun Dec 17 12:15:28 2023 Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > > On Sun, 17 Dec 2023 11:50:18 -0500 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > Spindles7, Thanks. my cloning the permissions from sysvol was > > > temporary ... just in case, and to verify I could open Users > > > > Properties > Security. I did set the actual Security to what you > > > have listed using notes from my previous DC setup. I didn't put > > > those step into my post; as I mentioned, the story wasn't finished > > > with that message. > > > > > > The wiki > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > talks about Shares generally, but doesn't specifically mention > > > 'Redirected Folders'. Maybe that wiki is sufficient; I didn't > > > examine in detail. > > > > Possibly because there is a separate page for Redirected Folders: > > > > https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections > > Great! Thanks. I've made a note of this and will review. > > > > > > > One thing I'm wondering about, that wiki has instructions to > > > "Enable Extended ACL Support on a Unix domain member" as follows: > > > > > > "Ideally you have a system that supports NFS4 ACLs. The > > > following example is for systems like Linux, where you don't have > > > those kind of ACLs. To configure shares using extended access > > > control lists (ACL) on a Unix domain member, you must enable the > > > support in the smb.conf file. To enable extended ACL support > > > globally, add the following settings to the [global] section of > > > your smb.conf file:" > > > > > > I do have a "system that supports NFS4 ACLs" > > > > What filesystem is that ? > > ext4: > > # tune2fs -l /dev/sda3 | grep attr > Filesystem features: has_journal ext_attr resize_inode dir_index > filetype needs_recovery extent 64bit flex_bg sparse_super large_file > huge_file dir_nlink extra_isize metadata_csum Default mount options: > user_xattr acl > > I believe this means I'm good with NFS4 ACLs. If not, please advise. > Doing 'getfacl /redirectedFolders/Users/' does seem to give me the > "User > Properties > Security" settings I've set up. > > > As far as I am aware, it is only freebsd and freebsd based distros > > that have NFS4 acls as standard. > > > > >so I suppose that means > > > I don't have to add the listed settings to smb.conf? The > > > instruction say, "To configure shares using ... (ACL) on a Unix > > > domain member, you must enable the support in the smb.conf file." > > > I'm assuming that "MUST" admonition applies only if you don't > > > have a system that supports NFS4 ACLs (but could the Linux system > > > even work at all without this support?). > > > > If you run Samba as a Unix domain member on Linux, then, unless > > someone can point out the filesystem with NFS4 ACLS, you need > > vfs_acl_xattr > > > > > > > > Also, if one were to add these lines to smb.conf, would that be to > > > the domain member, domain controller, both? My guess would be to > > > the domain member only. > > > > It is built into a DC, so only a Unix domain member. > > > > Rowland > > Cool, so if my Linux/Slackware file system have xattr, I'm good, > right? > >If, on an ext4 filesystem, you add 'vfs objects = acl_xattr' to your smb.conf, then Samba will use EA's to store the extended attributes. These extended attributes are not NFS4 ACLS and they are used by default on Samba AD DCs, so please do not add the 'vfs objects' line to a DC without ensuring it lists both of the default options. Rowland