Mark Foley
2023-Dec-20 20:48 UTC
[Samba] Samba share not quite working on Domain Controller
On Dec 18 03:22:32 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Sun, 17 Dec 2023 20:16:23 -0500 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > on Sun Dec 17 12:15:28 2023 Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > On Sun, 17 Dec 2023 11:50:18 -0500 > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > > [deleted] > > > > > > > > One thing I'm wondering about, that wiki has instructions to > > > > "Enable Extended ACL Support on a Unix domain member" as follows: > > > > > > > > "Ideally you have a system that supports NFS4 ACLs. The > > > > following example is for systems like Linux, where you don't have > > > > those kind of ACLs. To configure shares using extended access > > > > control lists (ACL) on a Unix domain member, you must enable the > > > > support in the smb.conf file. To enable extended ACL support > > > > globally, add the following settings to the [global] section of > > > > your smb.conf file:" > > > > > > > > I do have a "system that supports NFS4 ACLs" > > > > > > What filesystem is that ? > > > > ext4: > > > > # tune2fs -l /dev/sda3 | grep attr > > Filesystem features: has_journal ext_attr resize_inode dir_index > > filetype needs_recovery extent 64bit flex_bg sparse_super large_file > > huge_file dir_nlink extra_isize metadata_csum Default mount options: > > user_xattr acl > > > > I believe this means I'm good with NFS4 ACLs. If not, please advise. > > Doing 'getfacl /redirectedFolders/Users/' does seem to give me the > > "User > Properties > Security" settings I've set up. > > > > > As far as I am aware, it is only freebsd and freebsd based distros > > > that have NFS4 acls as standard. > > > > > > >so I suppose that means > > > > I don't have to add the listed settings to smb.conf? The > > > > instruction say, "To configure shares using ... (ACL) on a Unix > > > > domain member, you must enable the support in the smb.conf file." > > > > I'm assuming that "MUST" admonition applies only if you don't > > > > have a system that supports NFS4 ACLs (but could the Linux system > > > > even work at all without this support?). > > > > > > If you run Samba as a Unix domain member on Linux, then, unless > > > someone can point out the filesystem with NFS4 ACLS, you need > > > vfs_acl_xattr > > > > > > > > > > > Also, if one were to add these lines to smb.conf, would that be to > > > > the domain member, domain controller, both? My guess would be to > > > > the domain member only. > > > > > > It is built into a DC, so only a Unix domain member. > > > > > > Rowland > > > > Cool, so if my Linux/Slackware file system have xattr, I'm good, > > right? > > > > > > If, on an ext4 filesystem, you add 'vfs objects = acl_xattr' to your > smb.conf, then Samba will use EA's to store the extended attributes. > These extended attributes are not NFS4 ACLS and they are used by > default on Samba AD DCs, so please do not add the 'vfs objects' line to > a DC without ensuring it lists both of the default options. > > RowlandI'm following up on this because I'm not sure I understand. tune2fs on the DC shows, ext_attr; Default mount options: user_xattr, acl, although fstab does not have 'acl' as an option. So should I add to my DC smb.conf (per wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)? vfs objects = acl_xattr map acl inherit = yes # the next line is only required on Samba versions less than 4.9.0 store dos attributes = yes>From the preceeding comments, I think this is NOT for the DC.When I add a Linux domain member, I do/do-not need to add these to the domain member's smb.conf? What goes wrong if I don't? If I do add these lines, so I also have to add 'acl' as a fstab mount option? Thanks --Mark
Rowland Penny
2023-Dec-20 21:32 UTC
[Samba] Samba share not quite working on Domain Controller
On Wed, 20 Dec 2023 15:48:43 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> I'm following up on this because I'm not sure I understand. tune2fs > on the DC shows, ext_attr; Default mount options: user_xattr, acl, > although fstab does not have 'acl' as an option. > > So should I add to my DC smb.conf (per > wiki > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)? > > vfs objects = acl_xattr > map acl inherit = yes > # the next line is only required on Samba versions less than 4.9.0 > store dos attributes = yes > > From the preceeding comments, I think this is NOT for the DC.Well, if you read the big orange box under your wiki page extract, you will find this: On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically enabled globally. You must not enable the support manually. Also, your extract is under the heading: Enable Extended ACL Support on a Unix domain member So what do you think ???> > When I add a Linux domain member, I do/do-not need to add these to > the domain member's smb.conf?If you want to use extended ACLs, then you need to add them.> What goes wrong if I don't?You can only use the Unix standard acls (ugo).> If I do add > these lines, so I also have to add 'acl' as a fstab mount option?No, 'acl' is one of the ext4 default options. Rowland
Reasonably Related Threads
- Samba share not quite working on Domain Controller
- Samba share not quite working on Domain Controller
- Ext3 filesystem access after downgrade from v4.2 to v3.6 [SOLVED]
- FC5: "ext_attr" and "large_file" features for ext3 file systems ???
- Ghost 8.0 Clone Filesystem with ext3 (remove resize_inode and ext_attr features)