Mgr. Peter Tuharsky
2015-Mar-10 09:51 UTC
[Samba] Linux fs ACL ignored for Samba4 share in Windows?
This command lists all directories in iss_num. However the . (iss_num itself) has drwxrwxr-x Now for the incriminating file example that shows abnormal ACL in Windows: the file resides in iss_num/am/uz and has -rwxrwxrwx So there is no + in listing for share directory nor for files in the directory structure. Peter D?a 10.03.2015 o 10:37 Rowland Penny nap?sal(a):> On 10/03/15 07:16, Mgr. Peter Tuharsky wrote: >> Hm, it is quite large. I will snip all comments out and all shares that >> are not interesting >> >> smb.conf: >> >> [global] >> >> workgroup = ldap1.sk >> server string = server %L >> wins support = no >> dns proxy = no >> netbios aliases = datastore dokumenty iss pravo prenos matriky >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> log level = 2 >> security = domain >> encrypt passwords = true >> passdb backend = tdbsam >> obey pam restrictions = no >> unix password sync = no >> map to guest = bad user >> domain logons = no >> domain master = auto >> local master = no >> usershare allow guests = no >> >> >> include = /etc/samba/smb-global.conf >> include = /etc/samba/smb-datastore.conf >> >> >> smb-global.conf: >> [global] >> >> dos charset = 852 >> unix charset = UTF8 >> dos filetimes = yes >> browseable = no >> guest ok = no >> public = no >> writable = yes >> unix extensions = no >> follow symlinks = yes >> >> smb-datastore.conf: >> >> [iss_num] >> path = /mnt/data_raid/iss_num >> comment = Projekt ISS_NUM >> locking = yes >> default case = lower >> preserve case = no >> >> D?a 09.03.2015 o 10:49 Rowland Penny nap?sal(a): >>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote: >>>> Hallo, >>>> >>>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba >>>> 4.1.7 fileserver, a member of the domain, as a first step of full >>>> migration to Samba 4. >>>> >>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux >>>> ext4 >>>> fs has 777 ACLs for the file. Why does it look like in Windows >>>> (both XP >>>> and 2k8r2) that "Everyone" has not write permission? >>>> >>>> Sincerely >>>> Peter >>>> >>> Hi, any chance you can post the smb.conf from the samba 4.1.7 >>> fileserver ? >>> >>> Rowland >>> > > OK, after I removed the default settings, I ended up with this: > > [global] > workgroup = ldap1.sk > server string = server %L > dns proxy = no > netbios aliases = datastore dokumenty iss pravo prenos matriky > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > log level = 2 > security = domain > map to guest = bad user > local master = no > dos charset = 852 > browseable = no > writable = yes > unix extensions = no > > [iss_num] > path = /mnt/data_raid/iss_num > comment = Projekt ISS_NUM > locking = yes > preserve case = no > > Everything looks ok, provided the machine has been joined to the > domain. I personally wouldn't use a dot in the workgroup name, but I > don't think this is your problem. What I think is happening, is that > you are mixing up Unix and windows acls, what does 'ls -la > /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the > acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+' > > Rowland >
Rowland Penny
2015-Mar-10 10:01 UTC
[Samba] Linux fs ACL ignored for Samba4 share in Windows?
On 10/03/15 09:51, Mgr. Peter Tuharsky wrote:> This command lists all directories in iss_num. However the . (iss_num > itself) has drwxrwxr-x > > Now for the incriminating file example that shows abnormal ACL in > Windows: the file resides in iss_num/am/uz and has -rwxrwxrwx > > So there is no + in listing for share directory nor for files in the > directory structure. > > Peter > > > D?a 10.03.2015 o 10:37 Rowland Penny nap?sal(a): >> On 10/03/15 07:16, Mgr. Peter Tuharsky wrote: >>> Hm, it is quite large. I will snip all comments out and all shares that >>> are not interesting >>> >>> smb.conf: >>> >>> [global] >>> >>> workgroup = ldap1.sk >>> server string = server %L >>> wins support = no >>> dns proxy = no >>> netbios aliases = datastore dokumenty iss pravo prenos matriky >>> log file = /var/log/samba/log.%m >>> max log size = 1000 >>> syslog = 0 >>> panic action = /usr/share/samba/panic-action %d >>> log level = 2 >>> security = domain >>> encrypt passwords = true >>> passdb backend = tdbsam >>> obey pam restrictions = no >>> unix password sync = no >>> map to guest = bad user >>> domain logons = no >>> domain master = auto >>> local master = no >>> usershare allow guests = no >>> >>> >>> include = /etc/samba/smb-global.conf >>> include = /etc/samba/smb-datastore.conf >>> >>> >>> smb-global.conf: >>> [global] >>> >>> dos charset = 852 >>> unix charset = UTF8 >>> dos filetimes = yes >>> browseable = no >>> guest ok = no >>> public = no >>> writable = yes >>> unix extensions = no >>> follow symlinks = yes >>> >>> smb-datastore.conf: >>> >>> [iss_num] >>> path = /mnt/data_raid/iss_num >>> comment = Projekt ISS_NUM >>> locking = yes >>> default case = lower >>> preserve case = no >>> >>> D?a 09.03.2015 o 10:49 Rowland Penny nap?sal(a): >>>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote: >>>>> Hallo, >>>>> >>>>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba >>>>> 4.1.7 fileserver, a member of the domain, as a first step of full >>>>> migration to Samba 4. >>>>> >>>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux >>>>> ext4 >>>>> fs has 777 ACLs for the file. Why does it look like in Windows >>>>> (both XP >>>>> and 2k8r2) that "Everyone" has not write permission? >>>>> >>>>> Sincerely >>>>> Peter >>>>> >>>> Hi, any chance you can post the smb.conf from the samba 4.1.7 >>>> fileserver ? >>>> >>>> Rowland >>>> >> OK, after I removed the default settings, I ended up with this: >> >> [global] >> workgroup = ldap1.sk >> server string = server %L >> dns proxy = no >> netbios aliases = datastore dokumenty iss pravo prenos matriky >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> log level = 2 >> security = domain >> map to guest = bad user >> local master = no >> dos charset = 852 >> browseable = no >> writable = yes >> unix extensions = no >> >> [iss_num] >> path = /mnt/data_raid/iss_num >> comment = Projekt ISS_NUM >> locking = yes >> preserve case = no >> >> Everything looks ok, provided the machine has been joined to the >> domain. I personally wouldn't use a dot in the workgroup name, but I >> don't think this is your problem. What I think is happening, is that >> you are mixing up Unix and windows acls, what does 'ls -la >> /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the >> acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+' >> >> Rowland >>OK, this means that you are mixing up Unix & windows acls, if there was a '+' sign, this would mean that Unix (and samba) was using windows ACLs. You could try and give 'Everyone' read access from windows and then look again from unix with 'ls -la', if you now have the '+' then good. If not, install the 'acl' & 'attr' packages and try again, once you get the '+' sign, you can then look at the ACLs with 'getfacl /mnt/data_raid/iss_num' Rowland
Rowland Penny
2015-Mar-10 10:23 UTC
[Samba] Linux fs ACL ignored for Samba4 share in Windows?
On 10/03/15 10:01, Rowland Penny wrote:> On 10/03/15 09:51, Mgr. Peter Tuharsky wrote: >> This command lists all directories in iss_num. However the . (iss_num >> itself) has drwxrwxr-x >> >> Now for the incriminating file example that shows abnormal ACL in >> Windows: the file resides in iss_num/am/uz and has -rwxrwxrwx >> >> So there is no + in listing for share directory nor for files in the >> directory structure. >> >> Peter >> >> >> D?a 10.03.2015 o 10:37 Rowland Penny nap?sal(a): >>> On 10/03/15 07:16, Mgr. Peter Tuharsky wrote: >>>> Hm, it is quite large. I will snip all comments out and all shares >>>> that >>>> are not interesting >>>> >>>> smb.conf: >>>> >>>> [global] >>>> >>>> workgroup = ldap1.sk >>>> server string = server %L >>>> wins support = no >>>> dns proxy = no >>>> netbios aliases = datastore dokumenty iss pravo prenos matriky >>>> log file = /var/log/samba/log.%m >>>> max log size = 1000 >>>> syslog = 0 >>>> panic action = /usr/share/samba/panic-action %d >>>> log level = 2 >>>> security = domain >>>> encrypt passwords = true >>>> passdb backend = tdbsam >>>> obey pam restrictions = no >>>> unix password sync = no >>>> map to guest = bad user >>>> domain logons = no >>>> domain master = auto >>>> local master = no >>>> usershare allow guests = no >>>> >>>> >>>> include = /etc/samba/smb-global.conf >>>> include = /etc/samba/smb-datastore.conf >>>> >>>> >>>> smb-global.conf: >>>> [global] >>>> >>>> dos charset = 852 >>>> unix charset = UTF8 >>>> dos filetimes = yes >>>> browseable = no >>>> guest ok = no >>>> public = no >>>> writable = yes >>>> unix extensions = no >>>> follow symlinks = yes >>>> >>>> smb-datastore.conf: >>>> >>>> [iss_num] >>>> path = /mnt/data_raid/iss_num >>>> comment = Projekt ISS_NUM >>>> locking = yes >>>> default case = lower >>>> preserve case = no >>>> >>>> D?a 09.03.2015 o 10:49 Rowland Penny nap?sal(a): >>>>> On 09/03/15 09:21, Mgr. Peter Tuharsky wrote: >>>>>> Hallo, >>>>>> >>>>>> we have Samba 3 domain w/LDAP backend. Recently we have set up Samba >>>>>> 4.1.7 fileserver, a member of the domain, as a first step of full >>>>>> migration to Samba 4. >>>>>> >>>>>> Now, we have problem with file ACL on the Samba4 fileserver. Linux >>>>>> ext4 >>>>>> fs has 777 ACLs for the file. Why does it look like in Windows >>>>>> (both XP >>>>>> and 2k8r2) that "Everyone" has not write permission? >>>>>> >>>>>> Sincerely >>>>>> Peter >>>>>> >>>>> Hi, any chance you can post the smb.conf from the samba 4.1.7 >>>>> fileserver ? >>>>> >>>>> Rowland >>>>> >>> OK, after I removed the default settings, I ended up with this: >>> >>> [global] >>> workgroup = ldap1.sk >>> server string = server %L >>> dns proxy = no >>> netbios aliases = datastore dokumenty iss pravo prenos matriky >>> log file = /var/log/samba/log.%m >>> max log size = 1000 >>> syslog = 0 >>> panic action = /usr/share/samba/panic-action %d >>> log level = 2 >>> security = domain >>> map to guest = bad user >>> local master = no >>> dos charset = 852 >>> browseable = no >>> writable = yes >>> unix extensions = no >>> >>> [iss_num] >>> path = /mnt/data_raid/iss_num >>> comment = Projekt ISS_NUM >>> locking = yes >>> preserve case = no >>> >>> Everything looks ok, provided the machine has been joined to the >>> domain. I personally wouldn't use a dot in the workgroup name, but I >>> don't think this is your problem. What I think is happening, is that >>> you are mixing up Unix and windows acls, what does 'ls -la >>> /mnt/data_raid/iss_num' show, is there a '+' sign at the end of the >>> acl ? i.e. is it 'rwxrwxrwx' or 'rwxrwxrwx+' >>> >>> Rowland >>> > > OK, this means that you are mixing up Unix & windows acls, if there > was a '+' sign, this would mean that Unix (and samba) was using > windows ACLs. You could try and give 'Everyone' read access from > windows and then look again from unix with 'ls -la', if you now have > the '+' then good. If not, install the 'acl' & 'attr' packages and try > again, once you get the '+' sign, you can then look at the ACLs with > 'getfacl /mnt/data_raid/iss_num' > > RowlandHi again, forgot to say that you will probably need to add this to the global part of your smb.conf: vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes Rowland