I'm having trouble with ACL's and wonder how many others are too. I see conflicting answers and comments about different aspects of ACL's from many prople on the list. I was wondering if ANYONE is successfully using ACL's with Samba 3.0 or above. Questions I have that I'm sure many are asking are: Was your Samba server configured as the DC? What client OS were you setting ACL's on the Samba Share with? (Win2000, XP) What service pack (SP4 on Win2000???) Did you have to have the ACL kernel patch? Did you need "nt acl support = yes" in each share definition? How did you setup your shares? (Working share Examples are good) Did you have to use the "server Tools" downloaded from microsoft or could you simply right click on a file/folder and change the security ACL's? How are you verifying the ACL's actually work? Did you fully test any ACL you set through Windows by actually trying to make a user access a file to see that his access matched the ACL you set. What was the scope of what you could really do with ACL's? What didn't work with ACL's that you thought should? Are you compareing the windows ACL's to the output of getfacl? Could you use ACL's to add users to Samba printers? How did you add Samba printers as Domain resources so you could add ACL's to them? Or did you need to do this? Did you have to do any setfacl commands in Linux? Did you have to run winbind? Did you have to do any "net groupmap" commands to make ACL's work? I.E. net groupmap modify ntgroup="Domain Admins" unixgroup=root Were there any commands/configurations you had to use to make ACL's work that were not covered in the 3.0 HowTo? I think we could use some real world working examples here. Please be VERY explicit and complete with concrete examples. Assume those reading your answers are NOT experts! If you see any missing questions that you think might be useful to using ACL's, please add them! regards Doug P
Douglas Phillipson wrote on Thursday, 30 October 2003 9:14 a.m.:> I'm having trouble with ACL's and wonder how many others are too. I > see conflicting answers and comments about different aspects of ACL's > from many prople on the list. I was wondering if ANYONE is > successfully using ACL's with Samba 3.0 or above.Yes, we are. Our Red Hat 9 based Samba server is acting as a general purpose file server for a Windows 2000 Active Directory domain.> Was your Samba server configured as the DC?No, our DC is running Windows 2000 Server SP3.> What client OS were you setting ACL's on the Samba Share with? > (Win2000, XP) What service pack (SP4 on Win2000???)Windows 2000 Server SP3.> Did you have to have the ACL kernel patch?Yes, if you wish to use ACLs on ext2/ext3. XFS is supposed to have support already, though I have not tried it so I really don't know for sure.> Did you need "nt acl support = yes" in each share definition?No. This option defaults to yes anyway, so you should not need to specify it at all.> How did you setup your shares? (Working share Examples are good)Here's an example: [media] comment = Media files path = /mnt/media public = yes writable = yes create mask = 0774 directory mask = 0774 inherit acls = yes admin users = Administrator You need "winbind use default domain = yes" set in your smb.conf for the "admin users" option to work as specified above. Note that the exact options you use are highly dependent on what you want to use the share for. I would strongly recommend you read the relevant parts of the Samba 3 Howto collection, as well as the share options documentation in the smb.conf manpage.> Did you have to use the "server Tools" downloaded from microsoft or > could you simply right click on a file/folder and change the security > ACL's?You can just use the normal permission editing (right click...Properties).> How are you verifying the ACL's actually work? Did you fully test any > ACL you set through Windows by actually trying to make a user access a > file to see that his access matched the ACL you set.Yes, they do work.> What didn't work with ACL's that you thought should?Well, Samba can only provide to Windows what is available through POSIX standard ACLs, which means read, write, execute access bits for the owner, the group, and all others (the latter represented by "Everyone" in Windows), plus the same for each ACE. The extended permission types provided by Windows are not fully supported and this can't really be fixed at this time, because there is no equivalent functionality in Unix. In addition, Samba has to fit the normal DOS attributes into the Unix permissions as well, so you may see odd things happening at the Windows end. It does work, but the sooner you understand these two limitations, the better you will understand what is going on when you try to set permissions from Windows. Nested groups do not work. If domain user X is a member of domain group A, and A is a member of domain group B, X will not be seen as a member of B by Samba even though they will be by Windows.> Are you compareing the windows ACL's to the output of getfacl?Yes, they are the same, once you understand how the mapping works.> Could you use ACL's to add users to Samba printers? > > How did you add Samba printers as Domain resources so you could add > ACL's to them? Or did you need to do this?No idea, I have not tried either.> Did you have to do any setfacl commands in Linux?No.> Did you have to run winbind?Yes.> Did you have to do any "net groupmap" commands to make ACL's work?No.> Were there any commands/configurations you had to use to make ACL's > work that were not covered in the 3.0 HowTo?Not that I'm aware of, although it does not discuss enabling ACLs in the file system last time I checked (I suspect because this is Linux specific). BTW I have written an unofficial Samba+ACL Howto of sorts which may make things a little clearer. If you have any suggestions for that Howto (which is a little out of date, I admit) please let me know. http://www.bluelightning.org/linux/samba_acl_howto Cheers, Paul
On Wed, 29 Oct 2003, Douglas Phillipson wrote:> I'm having trouble with ACL's and wonder how many others are too. I see > conflicting answers and comments about different aspects of ACL's from > many prople on the list. I was wondering if ANYONE is successfully > using ACL's with Samba 3.0 or above.Yes. I am successfully setting ACLs with Samba-3.0.0. I have the ACLs patch in my kernel so that I can set ACLs on Linux files. Setting ACLs on Shares does NOT AT ALL use kernel ACLS.> Were there any commands/configurations you had to use to make ACL's work > that were not covered in the 3.0 HowTo? > > I think we could use some real world working examples here. Please be > VERY explicit and complete with concrete examples. Assume those reading > your answers are NOT experts! If you see any missing questions that you > think might be useful to using ACL's, please add them!Please explain to me what part of the Samba-HOWTO-Collection.pdf, chapter 12 you can ont understand. Precisely what is the problem - I want to fix it. I totally belive you that this chapter is not clear enough. What is not working for you? I do not understand what we are missing. I want to help you. Please give us detailed, step-by-step instructions for how to reproduce your problem. - John T. -- John H Terpstra Email: jht@samba.org
Hello all I have had some dubious experiences using the ACL features of Samba 3.0.0 At present I have rolled-back our production servers to 2.2.8a (--with-acl ) but I hope that they will be ironed-out by 3.0.1 and I can upgrade again. The problems manifested themselves in two client applications, CVS and Quickbooks althouth there was only 24'ish hours of live use before the decision was made to roll-back. The CVS problem went thus. CVS repositories held on an ext3+acl partition, access by samba with "force-user=someuser" and "valid users=@somegroup" CVS working directories held on [homes] share When performing a "cvs edit" or "cvs unedit" the permissions of the files were not being set to read-only correctly. It was possible to set these permissions using the standard Windows file property dialogs. Since much of our work uses CVS intensively, this would not do. This behaviour ocurred whether or not oplocks were employed. The Quickbooks problem was nasty but I think I could have got around it with options. The kernel is 2.4.21 +ea+acl The shares are exported via patched NFS for version 3 NFS clients only. 2.2.8a has plenty of quirks with ACL's enabled but I won't go into those now. -- ========================================Ben Tullis IT Manager
Hidiho! A little bit late...> I'm having trouble with ACL's and wonder how many others are too. I see > conflicting answers and comments about different aspects of ACL's from > many > prople on the list. I was wondering if ANYONE is successfully using ACL's > with Samba 3.0 or above.Yes, we use ACLs on our Debian based file server in our Win2k Active Directory Domain.> Was your Samba server configured as the DC?No, it's only a file server. The DC is running a Win2k Advanced Server with SP4> What client OS were you setting ACL's on the Samba Share with? (Win2000, > XP)Win2k, Linux> What service pack (SP4 on Win2000???)SP2, SP3 and SP4 on Win2k> Did you have to have the ACL kernel patch?We used the XFS kernel patch.> Did you need "nt acl support = yes" in each share definition?No> How did you setup your shares? (Working share Examples are good)[software] comment = Software path = /mnt/software writable = yes guest = no> Did you have to use the "server Tools" downloaded from microsoft or could > you > simply right click on a file/folder and change the security ACL's?We tested the "server Tools" but they didn't work the way we expected. Explorer was also tested but meanwhile we don't use it anymore because it takes too much time. Now we prefer setfacl because we can write scripts and it's really fast.> How are you verifying the ACL's actually work? Did you fully test any ACL > you > set through Windows by actually trying to make a user access a file to see > > that his access matched the ACL you set.Yes, I have to test every ACL. First I verify by getfacl then users should test the ACLs.> What didn't work with ACL's that you thought should?The "Trace folder/execute files" didn't work the way I expected. It takes two steps to make them work (a klick on the "List folder"-permission also aktivates the read-permission. You have to change this by hand in the advanced-section). Nested groups still don't work. We have a lot of troubles with the group mapping. Sometimes user aren't mapped in groups - it makes no difference if the group is a new created or existing one (we already filled a bug report).> Are you compareing the windows ACL's to the output of getfacl?Yes> Could you use ACL's to add users to Samba printers?I don't know - we never tried.> Did you have to do any setfacl commands in Linux?Yes, because we had some "others"-permissions which shouldn't be there.> Did you have to run winbind?Yes> Did you have to do any "net groupmap" commands to make ACL's work? > > I.E. net groupmap modify ntgroup="Domain Admins" unixgroup=rootNo> Were there any commands/configurations you had to use to make ACL's work > that > were not covered in the 3.0 HowTo?No.> If you see any missing questions that you think > might be useful to using ACL's, please add them!How about some examples in the HowTos? You have to go to acl.bestbits.at to get some real examples. It would be nice to have a overview which win2k-permissions works and which not (in a spreadsheet). Maybe with two columns: the first shows the (advanced) windows permission and in the second column there just stands a "w" (yeah, it "works"), a "dw" (sorry, but it "doesn't work") or a "a" (yes it works, but maybe not the way you'll expect and you'll need a "workAround") hth Phil