samba - Sep 2010 - samba 3.5.5 and ACL mod

Hello,

We are in the middle of testing debian squeeze 64 bits with samba 3.5.5 and are
running into some questions:

1) Is this solution OK with windows 7 "out of the box" (ie no
hacking/modifications to do on the pc) ? I have tested it seems so but I would
like a confirmation.

2) Despite massive googling, I have not found a correct smb.conf configuration
to change ACL statuses on shares (or even subfolders/files) via a windows based
mmc (xp or vista). Yes, the IT people are not into SWAT or Webmin. It is stated
possible. Are there any pointers or special issues I have missed with this
version?

Thanks in advance,

Best Regards,

Sebastian Perkins
Systems Developer Engineer

On Tue, Sep 28, 2010 at 12:14 PM,  <Sebastian.Perkins at swisscom.com>
wrote:
> Hello,
>
> We are in the middle of testing debian squeeze 64 bits with samba 3.5.5 and
are running into some questions:
>
> 1) Is this solution OK with windows 7 "out of the box" (ie no
hacking/modifications to do on the pc) ? I have tested it seems so but I would
like a confirmation.
You still need the registry change from here:
http://wiki.samba.org/index.php/Windows7
>
> 2) Despite massive googling, I have not found a correct smb.conf
configuration to change ACL statuses on shares (or even subfolders/files) via a
windows based mmc (xp or vista). Yes, the IT people are not into SWAT or Webmin.
It is stated possible. Are there any pointers or special issues I have missed
with this version?
>
You need idmap to work for acls to even begin to work as you expect.
You also need either acls enabled in the host filesystem and / or use
the  acl_xattr module.

John

>>On Tue, Sep 28, 2010 at 12:14 PM,  <Sebastian.Perkins at
swisscom.com> wrote:
>>>Hello,
>>>
>>> We are in the middle of testing debian squeeze 64 bits with samba
3.5.5 >>and are running into some questions:
>>>
>>> 1) Is this solution OK with windows 7 "out of the box"
(ie no >>hacking/modifications to do on the pc) ? I have tested it seems
so but I >>would like a confirmation.
>>
>>You still need the registry change from here:
>>http://wiki.samba.org/index.php/Windows7
We are using security=user to challenge local passwords and not a domain (maybe
later...).
>> >
>> > 2) Despite massive googling, I have not found a correct smb.conf
>> >> >> configuration to change ACL statuses on shares (or
even subfolders/files) >> via a windows based mmc (xp or vista). Yes, the
IT people are not into >> >> SWAT or Webmin. It is stated possible.
Are there any pointers or special >> issues I have missed with this
version?
>> >
>> You need idmap to work for acls to even begin to work as you expect.
>> You also need either acls enabled in the host filesystem and / or use
>> the  acl_xattr module.
Testbed is using xfs so what I understand it that acls are already embedded.
Later we will use nfs shares, at this time in v3 which must be updated to v4 for
acls.

Do I still need idmap in this situation ? the doc seems quite domain oriented
with this sort of config.

My goal is to permit acl based on the local unix users (just created by useradd
and smbpasswd -a).

Sebastian


John

ensure that 
nt acl support= yes
dos filemode= yes 

for a given share in smb.conf

and  for mmc access assign SeDiskOperatorPrivilege to the samba users

/usr/local/sama/bin/net  sam rights  grant "samba username"
SeDiskOperatorPrivilege

if it is in domain 
/usr/local/sama/bin/net  sam rights  grant domain\\username
SeDiskOperatorPrivilege

Hope this helps

-Suresh



-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Sebastian.Perkins at swisscom.com
Sent: Wednesday, September 29, 2010 2:01 PM
To: drescherjm at gmail.com
Cc: samba at lists.samba.org
Subject: Re: [Samba] samba 3.5.5 and ACL mod


>>On Tue, Sep 28, 2010 at 12:14 PM,  <Sebastian.Perkins at
swisscom.com> wrote:
>>>Hello,
>>>
>>> We are in the middle of testing debian squeeze 64 bits with samba
3.5.5 >>and are running into some questions:
>>>
>>> 1) Is this solution OK with windows 7 "out of the box"
(ie no >>hacking/modifications to do on the pc) ? I have tested it seems
so but I >>would like a confirmation.
>>
>>You still need the registry change from here:
>>http://wiki.samba.org/index.php/Windows7
We are using security=user to challenge local passwords and not a domain (maybe
later...).
>> >
>> > 2) Despite massive googling, I have not found a correct smb.conf
>> >> >> configuration to change ACL statuses on shares (or
even subfolders/files) >> via a windows based mmc (xp or vista). Yes, the
IT people are not into >> >> SWAT or Webmin. It is stated possible.
Are there any pointers or special >> issues I have missed with this
version?
>> >
>> You need idmap to work for acls to even begin to work as you expect.
>> You also need either acls enabled in the host filesystem and / or use
>> the  acl_xattr module.
Testbed is using xfs so what I understand it that acls are already embedded.
Later we will use nfs shares, at this time in v3 which must be updated to v4 for
acls.

Do I still need idmap in this situation ? the doc seems quite domain oriented
with this sort of config.

My goal is to permit acl based on the local unix users (just created by useradd
and smbpasswd -a).

Sebastian


John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Thank you all for your feedback.

This is what I have done

Installed acl
Mounted xfs partition with acl option on /home

For the share I have:

[testshare]
   path = /home/testshare
   nt acl support = yes
   dos filemode= yes
   writeable = yes
   valid users = boss,x,y,z
   admin users = boss
   inherit permissions = yes
   store dos attributes = yes
   map acl inherit = yes
   inherit permissions = yes
   store dos attributes = yes
   inherit acls = Yes
   ea support = yes

for each "useradd" there is a smbpass -a

applied
net sam rights grant "boss" SeDiskOperatorPrivilege

mmc... works !

Only one question remains, if I add a user to unix/samba it does not appear in
the share acl even if I add it to "valid users".

I have to add the user to the share with

setfacl -m u:newuser:r /home/testshare

And then change anything I need with mmc.

Is there a way around this ?

Best Regards,

Sebastian Perkins
Systems Developer Engineer

-----Original Message-----
From: suresh.kandukuru at emc.com [mailto:suresh.kandukuru at emc.com] 
Sent: mercredi 29 septembre 2010 11:23
To: Perkins Sebastian, SH-SYS-GRP (EXT); drescherjm at gmail.com
Cc: samba at lists.samba.org
Subject: RE: [Samba] samba 3.5.5 and ACL mod

ensure that 
nt acl support= yes
dos filemode= yes 

for a given share in smb.conf

and  for mmc access assign SeDiskOperatorPrivilege to the samba users

/usr/local/sama/bin/net  sam rights  grant "samba username"
SeDiskOperatorPrivilege

if it is in domain 
/usr/local/sama/bin/net  sam rights  grant domain\\username
SeDiskOperatorPrivilege

Hope this helps

-Suresh



-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Sebastian.Perkins at swisscom.com
Sent: Wednesday, September 29, 2010 2:01 PM
To: drescherjm at gmail.com
Cc: samba at lists.samba.org
Subject: Re: [Samba] samba 3.5.5 and ACL mod


>>On Tue, Sep 28, 2010 at 12:14 PM,  <Sebastian.Perkins at
swisscom.com> wrote:
>>>Hello,
>>>
>>> We are in the middle of testing debian squeeze 64 bits with samba
3.5.5 >>and are running into some questions:
>>>
>>> 1) Is this solution OK with windows 7 "out of the box"
(ie no >>hacking/modifications to do on the pc) ? I have tested it seems
so but I >>would like a confirmation.
>>
>>You still need the registry change from here:
>>http://wiki.samba.org/index.php/Windows7
We are using security=user to challenge local passwords and not a domain (maybe
later...).
>> >
>> > 2) Despite massive googling, I have not found a correct smb.conf
>> >> >> configuration to change ACL statuses on shares (or
even subfolders/files) >> via a windows based mmc (xp or vista). Yes, the
IT people are not into >> >> SWAT or Webmin. It is stated possible.
Are there any pointers or special >> issues I have missed with this
version?
>> >
>> You need idmap to work for acls to even begin to work as you expect.
>> You also need either acls enabled in the host filesystem and / or use
>> the  acl_xattr module.
Testbed is using xfs so what I understand it that acls are already embedded.
Later we will use nfs shares, at this time in v3 which must be updated to v4 for
acls.

Do I still need idmap in this situation ? the doc seems quite domain oriented
with this sort of config.

My goal is to permit acl based on the local unix users (just created by useradd
and smbpasswd -a).

Sebastian


John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

> Only one question remains, if I add a user to unix/samba it does not appear
in the share acl even if I add it to "valid users".
I do not think that adding users to valid users will do that but if
you set the acl in the posix filesystem it will show up. Well it shows
up on my domain after I got idmap working.
>
> I have to add the user to the share with
>
> setfacl -m u:newuser:r /home/testshare
>
> And then change anything I need with mmc.
>
> Is there a way around this ?
>
I believe that  is the correct way. And the valid users is more of a hack.

John

>> > Only one question remains, if I add a user to unix/samba it does
not >> >> appear in the share acl even if I add it to "valid
users".
>> I do not think that adding users to valid users will do that but
if>>
>> you set the acl in the posix filesystem it will show up. Well it shows
>> up on my domain after I got idmap working.
Actually they do not appear even In "valid users". I am using
security=user based on unix accounts (no domain). Can I set set the acl in the
posix filesystem ?
>> >
>> > I have to add the user to the share with
>> >
>> > setfacl -m u:newuser:r /home/testshare
>> >
>> > And then change anything I need with mmc.
>> >
>> > Is there a way around this ?
>> >
>> I believe that  is the correct way. And the valid users is more of a
hack.
That means a command line for each new user in the system, hmm.
>>John
Sebastian

On Wed, Sep 29, 2010 at 11:20 AM,  <Sebastian.Perkins at swisscom.com>
wrote:
>
>>> > Only one question remains, if I add a user to unix/samba it
does not >> >> appear in the share acl even if I add it to
"valid users".
>
>>> I do not think that adding users to valid users will do that but
if>>
>>> you set the acl in the posix filesystem it will show up. Well it
shows
>>> up on my domain after I got idmap working.
>
> Actually they do not appear even In "valid users". I am using
security=user based on unix accounts (no domain). Can I set set the acl in the
posix filesystem ?
>
>>> >
>>> > I have to add the user to the share with
>>> >
>>> > setfacl -m u:newuser:r /home/testshare
>>> >
>>> > And then change anything I need with mmc.
>>> >
>>> > Is there a way around this ?
>>> >
>>> I believe that ?is the correct way. And the valid users is more of
a hack.
>
> That means a command line for each new user in the system, hmm.
Why not put the users in some group?
-- 
John M. Drescher