Hi. We set up a samba domain with two DC ver. 4.7.3 and a file server ver. 4.7.1. Currently we have a problem setting ACLs from a Microsoft client. When we set an ACL the client shows the new ACL correctly, but on the fileserver the /getfacl/ command shows no changes. The filesystem is na ext4 with the options /rw,acl,user_xattr,usrquota,grpquota./ This is the share configuration:/ / /[user1] path = /opt/samba/fileserver/user1 admin users = @"domain admins" valid users = @"domain users" hide unreadable = yes hide unwriteable files = no hide special files = yes directory mask = 2775 read only = No guest ok = Yes browseable = Yes hide dot files = yes use sendfile = yes acl group control = yes inherit permissions = yes inherit acls = yes map acl inherit = yes store dos attributes = yes dos filemode = yes vfs objects = readahead acl_xattr full_audit recycle default_quota:quotasettings quotasettings: uid nolimit = no quotasettings: gid = 65534 quotasettings: gid nolimit = no acl_xattr:ignore system acls = yes recycle:repository = /opt/samba/fileserver/.recycle/user1 recycle:directory_mode = 2770 recycle:versions = True recycle:keeptree = True recycle:touch = True recycle:touch_mtime = False #recycle:minsize = 1 recycle:exclude = *.tmp *.temp ~$* *.~?? *.o *.obj *.swp *~ .~lock.* recycle:exclude_dir = .recycle ?SharedObjects full_audit:prefix = %u|%I|%m|%S full_audit:success = mkdir rmdir rename read write unlink chown readlink link mknod fset_nt_acl sys_acl_set_file sys_acl_set_fd sys_acl_delete_def_file pwrite open full_audit:failure = connect full_audit:facility = LOCAL4 full_audit:priority = NOTICE / / / Can anyone explain this behaviour? Thanks in advance. Matteo
On Thu, 15 Feb 2018 08:36:10 +0100 Matteo Maretto via samba <samba at lists.samba.org> wrote:> Hi. > We set up a samba domain with two DC ver. 4.7.3 and a file server > ver. 4.7.1. > Currently we have a problem setting ACLs from a Microsoft client. > When we set an ACL the client shows the new ACL correctly, but on the > fileserver the /getfacl/ command shows no changes. > > The filesystem is na ext4 with the options > /rw,acl,user_xattr,usrquota,grpquota./You might as well remove 'acl,user_xattr', they are the defualts with ext4> > This is the share configuration:/ > / > > /[user1] > path = /opt/samba/fileserver/user1As you want to use windows ACLs, try resetting it to this: [user1] path = /opt/samba/fileserver/user1 read only = no Then read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Though, has it seems to be a users homedir, you might need to read this as well: https://wiki.samba.org/index.php/User_Home_Folders Rowland
You solicited that behavior by putting this on your smb.conf:> acl_xattr:ignore system acls = yesThe current Samba behavior when this parameter is included is to neither read nor set extended Linux acls. Only Windows ACLs are set, through acl_xattr. There was a period when the above parameter caused the system acls to be written but not read. This was rightfully considered inconsistent, unnecessary and performance impairing. The behavior was changed in a Samba version I am trying to locate... I will be back when I find it.
Here's what I was looking for. On Tue Mar 22 08:19:42 UTC 2016 Uri Simchoni posted the following to the samba-technical mailing list: "Attached patch avoids setting the POSIX ACLs to match the NT ACLs, if "ignore system acls" is set. I believe this new behavior is more consistent with the vfs_acl_xattr man page. It also has the following benefits: - Avoid unnecessary sid->xid translations - Better compatibility with Windows, since by default Windows does not enforce existence of "traverse folder" right on parent folders, and modifying POSIX ACLs on parent folders could cause the kernel to deny access (dunno how RichACLs would handle this one :( )." A discussion about the subject can be found on the archives after this post. Version 4.4.3 of Samba was the first one to receive this change of behavior, as can be seen by its Release Notes: o Uri Simchoni <uri at samba.org> * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set.
I missed than one. Very useful hint. Now I can set ACLs again. Thank you. Il 15/02/2018 13:23, Miguel Medalha ha scritto:> Here's what I was looking for. > > On Tue Mar 22 08:19:42 UTC 2016 Uri Simchoni posted the following to > the samba-technical mailing list: > > "Attached patch avoids setting the POSIX ACLs to match the NT ACLs, if > "ignore system acls" is set. I believe this new behavior is more > consistent with the vfs_acl_xattr man page. It also has the following > benefits: - Avoid unnecessary sid->xid translations - Better > compatibility with Windows, since by default Windows does not enforce > existence of "traverse folder" right on parent folders, and modifying > POSIX ACLs on parent folders could cause the kernel to deny access > (dunno how RichACLs would handle this one :( )." > > A discussion about the subject can be found on the archives after this > post. > > Version 4.4.3 of Samba was the first one to receive this change of > behavior, as can be seen by its Release Notes: > > o Uri Simchoni <uri at samba.org> > * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore > system acls" is set.