On 19/07/18 10:58, Rowland Penny via samba wrote:> On Thu, 19 Jul 2018 10:32:04 +0100 > lejeczek via samba <samba at lists.samba.org> wrote: > >> hi guys >> >> my samba share has >> >> inherit acls = Yes >> >> and inherits(I guess) from global: >> >> create mask = 0744 >> directory mask = 0755 >> >> Now, share's underlying filesystem has acls set on a folder: >> >> user::rwx >> user:me:rwx >> user:appmgr:r-x >> group::--- >> mask::rwx >> other::--- >> default:user::rwx >> default:user:me:rwx >> default:user:appmgr:r-x >> default:group::--- >> default:mask::rwx >> default:other::--- >> >> In shell when I create a file in that folder I see: >> >> >> user::rw- >> user:me:rwx #effective:rw- >> user:appmgr:r-x #effective:r-- >> group::--- >> mask::rw- >> other::--- >> >> but when make new file in Windows client then shell shows: >> >> user::rwx >> user:me:rwx #effective:--- >> user:appmgr:r-x #effective:--- >> group::--- >> mask::--- >> other::--- >> >> Why is that? Am I missing something in samba's configuration? >> >> I'm thinking - ideally might be if I got rid of mask but I'm not sure >> how. >> >> many thanks, L. >> >> >> > You don't give us much to go on,what is it that I did not give out? Samba is 4.7.1 on Centos 7.5 Except for: inherit acls = Yes everything is samba vanilla default. One thing though is the shares are off glusterfs directly, so: fs objects = glusterfs glusterfs:volume = GROUP-WORK path = / and local filesystem is a mount via autofs with acl option.> but I think you are mixing up usingI fail to see where I'm mixing those up. I do not get how creating files, but also folders, gets me different mask/effective between shell and windows clients, eg of a new folder: shell's mkdir: user::rwx user:me:rwx user:appmgr:r-x group::--- mask::rwx other::--- default:user::rwx default:user:me:rwx default:user:appmgr:r-x default:group::--- default:mask::rwx default:other::--- windows via samba: user::rwx user:me:rwx #effective:r-x user:appmgr:r-x group::--- mask::r-x other::--- default:user::rwx default:user:me:rwx default:user:appmgr:r-x default:group::--- default:mask::rwx default:other::--- and parent folder has: user::rwx user:me:rwx user:appmgr:r-x group::--- mask::rwx other::--- default:user::rwx default:user:me:rwx default:user:appmgr:r-x default:group::--- default:mask::rwx default:other::--- Why samba calculate it differently, I fail to get that.> POSIX and Windows ACL's > You should use one or the other, not both, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs > > and here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Rowland >
On Thu, 19 Jul 2018 11:46:43 +0100 lejeczek via samba <samba at lists.samba.org> wrote:> On 19/07/18 10:58, Rowland Penny via samba wrote: > > On Thu, 19 Jul 2018 10:32:04 +0100 > > lejeczek via samba <samba at lists.samba.org> wrote: > > > >> hi guys > >> > >> my samba share has > >> > >> inherit acls = Yes > >> > >> and inherits(I guess) from global: > >> > >> create mask = 0744 > >> directory mask = 0755 > >> > >> Now, share's underlying filesystem has acls set on a folder: > >> > >> user::rwx > >> user:me:rwx > >> user:appmgr:r-x > >> group::--- > >> mask::rwx > >> other::--- > >> default:user::rwx > >> default:user:me:rwx > >> default:user:appmgr:r-x > >> default:group::--- > >> default:mask::rwx > >> default:other::--- > >> > >> In shell when I create a file in that folder I see: > >> > >> > >> user::rw- > >> user:me:rwx #effective:rw- > >> user:appmgr:r-x #effective:r-- > >> group::--- > >> mask::rw- > >> other::--- > >> > >> but when make new file in Windows client then shell shows: > >> > >> user::rwx > >> user:me:rwx #effective:--- > >> user:appmgr:r-x #effective:--- > >> group::--- > >> mask::--- > >> other::--- > >> > >> Why is that? Am I missing something in samba's configuration? > >> > >> I'm thinking - ideally might be if I got rid of mask but I'm not > >> sure how. > >> > >> many thanks, L. > >> > >> > >> > > You don't give us much to go on, > what is it that I did not give out? > Samba is 4.7.1 on Centos 7.5You didn't tell us that before ;-)> Except for: > inherit acls = Yes > everything is samba vanilla default.Yes, but what 'vanilla default' ? I have absolutely no idea just how you are running Samba, is it a Unix domain member, standalone server or what ?> One thing though is the shares are off glusterfs directly, so: > > fs objects = glusterfs > glusterfs:volume = GROUP-WORK > path = /Well, that is definitely not a 'vanilla' Samba option.> > and local filesystem is a mount via autofs with acl option.again, not a Samba 'vanilla' option and what 'acl' option ?> > > but I think you are mixing up using > I fail to see where I'm mixing those up. > I do not get how creating files, but also folders, gets me different > mask/effective between shell and windows clients, eg of a new folder:I guessed that you are running a Unix domain member and you CANNOT use POSIX acls and Windows ACLs at the same time, they mess with each other. This will be POSIX> > shell's mkdir: > > user::rwx > user:me:rwx > user:appmgr:r-x > group::--- > mask::rwx > other::--- > default:user::rwx > default:user:me:rwx > default:user:appmgr:r-x > default:group::--- > default:mask::rwx > default:other::--- >and this will be Windows ACLs> windows via samba: > > user::rwx > user:me:rwx #effective:r-x > user:appmgr:r-x > group::--- > mask::r-x > other::--- > default:user::rwx > default:user:me:rwx > default:user:appmgr:r-x > default:group::--- > default:mask::rwx > default:other::--- > > and parent folder has: > > user::rwx > user:me:rwx > user:appmgr:r-x > group::--- > mask::rwx > other::--- > default:user::rwx > default:user:me:rwx > default:user:appmgr:r-x > default:group::--- > default:mask::rwx > default:other::--- > > Why samba calculate it differently, I fail to get that.Because you are trying to get Samba (and the OS) to do two things at once. Rowland
On 19/07/18 12:17, Rowland Penny via samba wrote:> On Thu, 19 Jul 2018 11:46:43 +0100 > lejeczek via samba <samba at lists.samba.org> wrote: > >> On 19/07/18 10:58, Rowland Penny via samba wrote: >>> On Thu, 19 Jul 2018 10:32:04 +0100 >>> lejeczek via samba <samba at lists.samba.org> wrote: >>> >>>> hi guys >>>> >>>> my samba share has >>>> >>>> inherit acls = Yes >>>> >>>> and inherits(I guess) from global: >>>> >>>> create mask = 0744 >>>> directory mask = 0755 >>>> >>>> Now, share's underlying filesystem has acls set on a folder: >>>> >>>> user::rwx >>>> user:me:rwx >>>> user:appmgr:r-x >>>> group::--- >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:me:rwx >>>> default:user:appmgr:r-x >>>> default:group::--- >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> In shell when I create a file in that folder I see: >>>> >>>> >>>> user::rw- >>>> user:me:rwx #effective:rw- >>>> user:appmgr:r-x #effective:r-- >>>> group::--- >>>> mask::rw- >>>> other::--- >>>> >>>> but when make new file in Windows client then shell shows: >>>> >>>> user::rwx >>>> user:me:rwx #effective:--- >>>> user:appmgr:r-x #effective:--- >>>> group::--- >>>> mask::--- >>>> other::--- >>>> >>>> Why is that? Am I missing something in samba's configuration? >>>> >>>> I'm thinking - ideally might be if I got rid of mask but I'm not >>>> sure how. >>>> >>>> many thanks, L. >>>> >>>> >>>> >>> You don't give us much to go on, >> what is it that I did not give out? >> Samba is 4.7.1 on Centos 7.5 > You didn't tell us that before ;-) > >> Except for: >> inherit acls = Yes >> everything is samba vanilla default. > Yes, but what 'vanilla default' ? > > I have absolutely no idea just how you are running Samba, is it a Unix > domain member, standalone server or what ? > >> One thing though is the shares are off glusterfs directly, so: >> >> fs objects = glusterfs >> glusterfs:volume = GROUP-WORK >> path = / > Well, that is definitely not a 'vanilla' Samba option. > >> and local filesystem is a mount via autofs with acl option. > again, not a Samba 'vanilla' option and what 'acl' option ? > >>> but I think you are mixing up using >> I fail to see where I'm mixing those up. >> I do not get how creating files, but also folders, gets me different >> mask/effective between shell and windows clients, eg of a new folder: > I guessed that you are running a Unix domain member and you CANNOT use > POSIX acls and Windows ACLs at the same time, they mess with each other. > > This will be POSIX >> shell's mkdir: >> >> user::rwx >> user:me:rwx >> user:appmgr:r-x >> group::--- >> mask::rwx >> other::--- >> default:user::rwx >> default:user:me:rwx >> default:user:appmgr:r-x >> default:group::--- >> default:mask::rwx >> default:other::--- >> > and this will be Windows ACLs > >> windows via samba: >> >> user::rwx >> user:me:rwx #effective:r-x >> user:appmgr:r-x >> group::--- >> mask::r-x >> other::--- >> default:user::rwx >> default:user:me:rwx >> default:user:appmgr:r-x >> default:group::--- >> default:mask::rwx >> default:other::--- >> >> and parent folder has: >> >> user::rwx >> user:me:rwx >> user:appmgr:r-x >> group::--- >> mask::rwx >> other::--- >> default:user::rwx >> default:user:me:rwx >> default:user:appmgr:r-x >> default:group::--- >> default:mask::rwx >> default:other::--- >> >> Why samba calculate it differently, I fail to get that. > Because you are trying to get Samba (and the OS) to do two things at > once. > > Rowland > > >yes, shell is posix and samba is win acl, yes. Samba is a PDC(the only controller) in classic mode, security = user (no AD), with ldap user backend. Windows boxes are clients of only that samba domain. When do shell/posix I do it on Samba server locally. If I, well.. certainly not purposefully so not I, again: pretty vanilla samba config, so... if samba ignores posix and calculates mask independently then where does she do it? inherit acls = Yes - this seems to work, ACLs are there but that mast/effective is not what posix gets me, and I'd like samba to do what setfacl mandates. Also: acl map full control = Yes - is set by default.