Stefan G. Weichinger
2018-Sep-07 09:22 UTC
[Samba] "missing security tab" and related ACL issues
At a customer server (gentoo linux, so far only Samba version 4.7.7) we tried to use Windows ACLs and failed: no security tab in Windows ... for local C: yes, not on samba shares Yes, I followed https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs and have the vfs module enabled etc - Now I consider that the kernel doesn't have the necessary flags set. I get # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported but # getfacl /mnt/MSA2040/smb/IT getfacl: Removing leading '/' from absolute path names # file: mnt/MSA2040/smb/IT # owner: ittner # group: dom�nen-benutzer user::rwx group::rwx other::r-x - From the old kernel config I see these flags unset: # CONFIG_EXT4_FS_POSIX_ACL is not set # CONFIG_EXT4_FS_SECURITY is not set So I prepared a new kernel with these 2 flags enabled and will reboot at 2:30pm ... We'll see! Any other issues I might miss here?
On Fri, 7 Sep 2018 11:22:36 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > At a customer server (gentoo linux, so far only Samba version 4.7.7) > we tried to use Windows ACLs and failed: > > no security tab in Windows ... for local C: yes, not on samba shares > > Yes, I followed > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > and have the vfs module enabled etc > > - > > Now I consider that the kernel doesn't have the necessary flags set. > > I get > > # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT > /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported > > but > > # getfacl /mnt/MSA2040/smb/IT > getfacl: Removing leading '/' from absolute path names > # file: mnt/MSA2040/smb/IT > # owner: ittner > # group: dom�nen-benutzer > user::rwx > group::rwx > other::r-x > > - > > From the old kernel config I see these flags unset: > > # CONFIG_EXT4_FS_POSIX_ACL is not set > # CONFIG_EXT4_FS_SECURITY is not set > > So I prepared a new kernel with these 2 flags enabled and will reboot > at 2:30pm ... We'll see! > > Any other issues I might miss here? > >Apart from the fact getattr works on an EA and getfacl works on extended ACL's i.e. different things ? ;-) Stop me if I am wrong, but isn't 'benutzer' German for 'users' ? What is the the German for 'admins' ? Rowland
Stefan G. Weichinger
2018-Sep-07 12:02 UTC
[Samba] "missing security tab" and related ACL issues
Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:> On Fri, 7 Sep 2018 11:22:36 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> >> At a customer server (gentoo linux, so far only Samba version 4.7.7) >> we tried to use Windows ACLs and failed: >> >> no security tab in Windows ... for local C: yes, not on samba shares >> >> Yes, I followed >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> >> and have the vfs module enabled etc >> >> - >> >> Now I consider that the kernel doesn't have the necessary flags set. >> >> I get >> >> # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT >> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported >> >> but >> >> # getfacl /mnt/MSA2040/smb/IT >> getfacl: Removing leading '/' from absolute path names >> # file: mnt/MSA2040/smb/IT >> # owner: ittner >> # group: dom�nen-benutzer >> user::rwx >> group::rwx >> other::r-x >> >> - >> >> From the old kernel config I see these flags unset: >> >> # CONFIG_EXT4_FS_POSIX_ACL is not set >> # CONFIG_EXT4_FS_SECURITY is not set >> >> So I prepared a new kernel with these 2 flags enabled and will reboot >> at 2:30pm ... We'll see! >> >> Any other issues I might miss here? >> >> > > Apart from the fact getattr works on an EA and getfacl works on > extended ACL's i.e. different things ? ;-)what? One works, the other not ... I interpret that the kernel doesn't support the ACL-feature of ext4> Stop me if I am wrong, but isn't 'benutzer' German for 'users' ? > What is the the German for 'admins' ?wbinfo -g shows "dom�nen-admins" while # wbinfo -g | grep -i admin specops endpoint protection report admins dnsadmins schema-admins organisations-admins Binary file (standard input) matches ?? no "domänen-admins" in here and net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege -U "DOM\administrator" fails because the group is not found I asked that already some times ago and I try to work around that by granting that right to a group called IT and the few admins in there At 2:30pm we plan to reboot into the other kernel.