samba - May 2017 - Problems with samba and profile syncing from various windows versions

Le 04/05/2017 à 10:01, Rowland Penny a écrit :
> On Thu, 4 May 2017 09:39:17 +0200
> Arnaud FLORENT <aflorent at iris-tech.fr> wrote:
>
>>
>> Le 04/05/2017 à 09:36, Rowland Penny a écrit :
>>> On Thu, 4 May 2017 09:07:11 +0200
>>> Arnaud FLORENT <aflorent at iris-tech.fr> wrote:
>>>
>>>> Le 04/05/2017 à 08:45, Rowland Penny via samba a écrit :
>>>>> On Wed, 3 May 2017 22:48:06 +0200
>>>>> Jakub Kulesza via samba <samba at lists.samba.org>
wrote:
>>>>>
>>>>>> Thanks for pointing this out.
>>>>>>
>>>>>> I have read that again, now my profiles do not have
"vfs objects
>>>>>> = full_audit" and disabled the csc policy. I have
verified that I
>>>>>> have set up my profiles share properly and that it has
all the
>>>>>> right entitlements. I have reset the entitlements for
the users
>>>>>> that have issues (as Administrator right click on the
folder and
>>>>>> do the dance there with Windows). We'll see
tomorrow.
>>>>>>
>>>>>> Is "profile acls" required anymore on Samba
4.3? What effect will
>>>>>> it have on Windows 10?
>>>>>>
>>>>> On a Samba AD DC, no, you must use windows ACLs, but, on a
Unix
>>>>> domain member, you can use the old way i.e. 'create
mask' etc
>>>>>
>>>>> Rowland
>>>>>     
>>>>>
>>>> Could you explain why  the old way can not be used please?
>>>>
>>>> why only shares using extended ACLs are supported on a Samba AD
DC?
>>>>
>>>> extended ACL support is automatically enabled globally
>>>> but there may be a way to disable it for a specific share?
>>> You answered your question yourself ;-)
>>>
>>> Extended ACL support is automatically enabled globally and you
>>> cannot turn it off.
>>>
>>> Rowland
>>>
>>>
>> nt acl =no
>> seems to work
>>
>> am i wrong to use this?
> YES!
>
>> what kind of errors may occurs?
> The AD DC relies on NT ACLs, you need to accept that you must use
> Windows ACLs on a Samba AD DC if you use it as a fileserver. If you
> must use the old way of doing things, set up a Unix domain member and
> use this as a fileserver instead.
>
> If you go here:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Under the heading 'Using POSIX ACLs', you will find an info box
> containing this:
>
>   When setting up the share on a Samba Active Directory (AD) domain
>   controller (DC), you cannot use POSIX ACLs. On an Samba DC, only
>   shares using extended ACLs are supported. For further details, see
>   Enable Extended ACL Support in the smb.conf File. To set up the share
>   on a Samba AD DC, see Setting up the Profiles Share on the Samba File
>   Server - Using Windows ACLs.
>
> This wasn't written for no reason.
>
> Rowland
Thank you Rowloand

so my next question is

is there a way to setup the share and windows acl only from server 
command line?

On Thu, 4 May 2017 10:22:30 +0200
Arnaud FLORENT <aflorent at iris-tech.fr> wrote:
> 
> so my next question is
> 
> is there a way to setup the share and windows acl only from server 
> command line?
> 
I personally do not know of a way that will work exactly as setting
the ACLs from Windows. You could try using setfacl and setattr, but,
as I have never tried it, I do not know exactly how to do this,
perhaps someone else does ;-)

Rowland

Am 04.05.2017 um 10:22 schrieb Arnaud FLORENT via samba:
> is there a way to setup the share and windows acl only from server 
> command line?
Yes: smbcacls. It's really cool, but nobody seems to know it. :-)

The problem is, that we have (almost) no documentation about it. The 
only doc we have (man page), is really incomplete.

I recently started writing documentation about it. However, smbacls is 
currently not very user-friendly if you want to set fine-granular 
Windows ALCs. For this reason I decited to temporarily stop writing the 
documentation. Users won't use the tool if they have to add up multiple 
hex values to set fine-granular ACLs.

That's why I recommend you to set the ACLs on a Windows machine at the 
moment. It's nothing you often change after you set it up.


Regards,
Marc