Mgr. Peter Tuharsky
2015-Mar-10 07:16 UTC
[Samba] Linux fs ACL ignored for Samba4 share in Windows?
Hm, it is quite large. I will snip all comments out and all shares that
are not interesting
smb.conf:
[global]
workgroup = ldap1.sk
server string = server %L
wins support = no
dns proxy = no
netbios aliases = datastore dokumenty iss pravo prenos matriky
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
log level = 2
security = domain
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no
unix password sync = no
map to guest = bad user
domain logons = no
domain master = auto
local master = no
usershare allow guests = no
include = /etc/samba/smb-global.conf
include = /etc/samba/smb-datastore.conf
smb-global.conf:
[global]
dos charset = 852
unix charset = UTF8
dos filetimes = yes
browseable = no
guest ok = no
public = no
writable = yes
unix extensions = no
follow symlinks = yes
smb-datastore.conf:
[iss_num]
path = /mnt/data_raid/iss_num
comment = Projekt ISS_NUM
locking = yes
default case = lower
preserve case = no
D?a 09.03.2015 o 10:49 Rowland Penny nap?sal(a):> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote:
>> Hallo,
>>
>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba
>> 4.1.7 fileserver, a member of the domain, as a first step of full
>> migration to Samba 4.
>>
>> Now, we have problem with file ACL on the Samba4 fileserver. Linux ext4
>> fs has 777 ACLs for the file. Why does it look like in Windows (both XP
>> and 2k8r2) that "Everyone" has not write permission?
>>
>> Sincerely
>> Peter
>>
>
> Hi, any chance you can post the smb.conf from the samba 4.1.7
> fileserver ?
>
> Rowland
>
Rowland Penny
2015-Mar-10 09:37 UTC
[Samba] Linux fs ACL ignored for Samba4 share in Windows?
On 10/03/15 07:16, Mgr. Peter Tuharsky wrote:> Hm, it is quite large. I will snip all comments out and all shares that > are not interesting > > smb.conf: > > [global] > > workgroup = ldap1.sk > server string = server %L > wins support = no > dns proxy = no > netbios aliases = datastore dokumenty iss pravo prenos matriky > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > log level = 2 > security = domain > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = no > unix password sync = no > map to guest = bad user > domain logons = no > domain master = auto > local master = no > usershare allow guests = no > > > include = /etc/samba/smb-global.conf > include = /etc/samba/smb-datastore.conf > > > smb-global.conf: > [global] > > dos charset = 852 > unix charset = UTF8 > dos filetimes = yes > browseable = no > guest ok = no > public = no > writable = yes > unix extensions = no > follow symlinks = yes > > smb-datastore.conf: > > [iss_num] > path = /mnt/data_raid/iss_num > comment = Projekt ISS_NUM > locking = yes > default case = lower > preserve case = no > > D?a 09.03.2015 o 10:49 Rowland Penny nap?sal(a): >> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote: >>> Hallo, >>> >>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba >>> 4.1.7 fileserver, a member of the domain, as a first step of full >>> migration to Samba 4. >>> >>> Now, we have problem with file ACL on the Samba4 fileserver. Linux ext4 >>> fs has 777 ACLs for the file. Why does it look like in Windows (both XP >>> and 2k8r2) that "Everyone" has not write permission? >>> >>> Sincerely >>> Peter >>> >> Hi, any chance you can post the smb.conf from the samba 4.1.7 >> fileserver ? >> >> Rowland >>OK, after I removed the default settings, I ended up with this: [global] workgroup = ldap1.sk server string = server %L dns proxy = no netbios aliases = datastore dokumenty iss pravo prenos matriky log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d log level = 2 security = domain map to guest = bad user local master = no dos charset = 852 browseable = no writable = yes unix extensions = no [iss_num] path = /mnt/data_raid/iss_num comment = Projekt ISS_NUM locking = yes preserve case = no Everything looks ok, provided the machine has been joined to the domain. I personally wouldn't use a dot in the workgroup name, but I don't think this is your problem. What I think is happening, is that you are mixing up Unix and windows acls, what does 'ls -la /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+' Rowland
Mgr. Peter Tuharsky
2015-Mar-10 09:51 UTC
[Samba] Linux fs ACL ignored for Samba4 share in Windows?
This command lists all directories in iss_num. However the . (iss_num itself) has drwxrwxr-x Now for the incriminating file example that shows abnormal ACL in Windows: the file resides in iss_num/am/uz and has -rwxrwxrwx So there is no + in listing for share directory nor for files in the directory structure. Peter D?a 10.03.2015 o 10:37 Rowland Penny nap?sal(a):> On 10/03/15 07:16, Mgr. Peter Tuharsky wrote: >> Hm, it is quite large. I will snip all comments out and all shares that >> are not interesting >> >> smb.conf: >> >> [global] >> >> workgroup = ldap1.sk >> server string = server %L >> wins support = no >> dns proxy = no >> netbios aliases = datastore dokumenty iss pravo prenos matriky >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> log level = 2 >> security = domain >> encrypt passwords = true >> passdb backend = tdbsam >> obey pam restrictions = no >> unix password sync = no >> map to guest = bad user >> domain logons = no >> domain master = auto >> local master = no >> usershare allow guests = no >> >> >> include = /etc/samba/smb-global.conf >> include = /etc/samba/smb-datastore.conf >> >> >> smb-global.conf: >> [global] >> >> dos charset = 852 >> unix charset = UTF8 >> dos filetimes = yes >> browseable = no >> guest ok = no >> public = no >> writable = yes >> unix extensions = no >> follow symlinks = yes >> >> smb-datastore.conf: >> >> [iss_num] >> path = /mnt/data_raid/iss_num >> comment = Projekt ISS_NUM >> locking = yes >> default case = lower >> preserve case = no >> >> D?a 09.03.2015 o 10:49 Rowland Penny nap?sal(a): >>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote: >>>> Hallo, >>>> >>>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba >>>> 4.1.7 fileserver, a member of the domain, as a first step of full >>>> migration to Samba 4. >>>> >>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux >>>> ext4 >>>> fs has 777 ACLs for the file. Why does it look like in Windows >>>> (both XP >>>> and 2k8r2) that "Everyone" has not write permission? >>>> >>>> Sincerely >>>> Peter >>>> >>> Hi, any chance you can post the smb.conf from the samba 4.1.7 >>> fileserver ? >>> >>> Rowland >>> > > OK, after I removed the default settings, I ended up with this: > > [global] > workgroup = ldap1.sk > server string = server %L > dns proxy = no > netbios aliases = datastore dokumenty iss pravo prenos matriky > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > log level = 2 > security = domain > map to guest = bad user > local master = no > dos charset = 852 > browseable = no > writable = yes > unix extensions = no > > [iss_num] > path = /mnt/data_raid/iss_num > comment = Projekt ISS_NUM > locking = yes > preserve case = no > > Everything looks ok, provided the machine has been joined to the > domain. I personally wouldn't use a dot in the workgroup name, but I > don't think this is your problem. What I think is happening, is that > you are mixing up Unix and windows acls, what does 'ls -la > /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the > acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+' > > Rowland >