samba - Jan 2018 - How to migrating data from one samba server with "old" access config to new server with windows ACL?

Hi,

I try to find a solution for migrating files from a samba server with share
access configure at share level in the smb.conf to a new fileserver with Windows
ACL configured shares.

I did a rsync from the old share to the new server and tried to set the ACL on
windows with the "Computer Manager“. But I get an error when applying the
rights that the enumerating of objects in the container fails.

The new server is a samba 4.7.x 

On other shares which are filled from scratch (no data migration from an old
server) are working fine and use the ACL I add.

Any suggestion hints and tricks are welcome.

	Regards . Götz

Hi Götz,
> I try to find a solution for migrating files from a samba server with share
access configure at share level in the smb.conf to a new fileserver with Windows
ACL configured shares.
>
> I did a rsync from the old share to the new server and tried to set the ACL
on windows with the "Computer Manager“. But I get an error when applying
the rights that the enumerating of objects in the container fails.
Perhaps you should try to remove all old ACL first on linux side, and 
then reset them from Windows side.
  setfacl -R -b /home/myshare
  chown -R administrator:"domain users" /home/myshare
  find /home/myshare -type d -exec chmod 700 {} \;
  find /home/myshare -type f -exec chmod 600 {} \;

It's probably overkill, but it should make it work for you.

samba-tool ntacl get/set --as-sddl is currently buggy on member servers 
(it works properly on domain controller though). It would allow to 
script real Windows ACL the windows way directly on your fileserver! I 
now SDDL is ugly, but it is the only way to do it right :-)

Cheers,

Denis
> The new server is a samba 4.7.x
>
> On other shares which are filled from scratch (no data migration from an
old server) are working fine and use the ACL I add.
>
> Any suggestion hints and tricks are welcome.
>
> 	Regards . Götz
>
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Hi Denis,

I solved the problem for me with your suggestion regarding file permissions. It
looked like the simple case, that I denied the access to a parent folder which
contained the share folder I tried to configure, so the Windows user I used to
configure the share was not able to access it correctly.

Allowing access (mode 755) to the parent folder solved the problem for me.

	Thanks for your suggestion and help . Regards . Götz


> Am 12.01.2018 um 13:11 schrieb Denis Cardon <dcardon at tranquil.it>:
> 
> Hi Götz,
> 
>> I try to find a solution for migrating files from a samba server with
share access configure at share level in the smb.conf to a new fileserver with
Windows ACL configured shares.
>> 
>> I did a rsync from the old share to the new server and tried to set the
ACL on windows with the "Computer Manager“. But I get an error when
applying the rights that the enumerating of objects in the container fails.
> 
> Perhaps you should try to remove all old ACL first on linux side, and then
reset them from Windows side.
> setfacl -R -b /home/myshare
> chown -R administrator:"domain users" /home/myshare
> find /home/myshare -type d -exec chmod 700 {} \;
> find /home/myshare -type f -exec chmod 600 {} \;
> 
> It's probably overkill, but it should make it work for you.
> 
> samba-tool ntacl get/set --as-sddl is currently buggy on member servers (it
works properly on domain controller though). It would allow to script real
Windows ACL the windows way directly on your fileserver! I now SDDL is ugly, but
it is the only way to do it right :-)
> 
> Cheers,
> 
> Denis
> 
>> The new server is a samba 4.7.x
>> 
>> On other shares which are filled from scratch (no data migration from
an old server) are working fine and use the ACL I add.
>> 
>> Any suggestion hints and tricks are welcome.
>> 
>> 	Regards . Götz
>>