samba - Sep 2018 - "missing security tab" and related ACL issues

Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:
> On Fri, 7 Sep 2018 11:22:36 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
>>
>> At a customer server (gentoo linux, so far only Samba version 4.7.7)
>> we tried to use Windows ACLs and failed:
>>
>> no security tab in Windows ... for local C: yes, not on samba shares
>>
>> Yes, I followed
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> and have the vfs module enabled etc
>>
>> -
>>
>> Now I consider that the kernel doesn't have the necessary flags
set.
>>
>> I get
>>
>> # getfattr -n security.NTACL -d  /mnt/MSA2040/smb/IT
>> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported
>>
>> but
>>
>> # getfacl /mnt/MSA2040/smb/IT
>> getfacl: Removing leading '/' from absolute path names
>> # file: mnt/MSA2040/smb/IT
>> # owner: ittner
>> # group: dom�nen-benutzer
>> user::rwx
>> group::rwx
>> other::r-x
>>
>> -
>>
>>   From the old kernel config I see these flags unset:
>>
>> # CONFIG_EXT4_FS_POSIX_ACL is not set
>> # CONFIG_EXT4_FS_SECURITY is not set
>>
>> So I prepared a new kernel with these 2 flags enabled and will reboot
>> at 2:30pm ... We'll see!
>>
>> Any other issues I might miss here?
>>
>>
> 
> Apart from the fact getattr works on an EA and getfacl works on
> extended ACL's i.e. different things ? ;-)
what? One works, the other not ... I interpret that the kernel doesn't 
support the ACL-feature of ext4

> Stop me if I am wrong, but isn't 'benutzer' German for
'users' ?
> What is the the German for 'admins' ?
wbinfo -g

shows "dom�nen-admins"

while


# wbinfo -g | grep -i admin
specops endpoint protection report admins
dnsadmins
schema-admins
organisations-admins
Binary file (standard input) matches

?? no "domänen-admins" in here

and

net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege -U 
"DOM\administrator"

fails because the group is not found

I asked that already some times ago

and I try to work around that by granting that right to a group called 
IT and the few admins in there

At 2:30pm we plan to reboot into the other kernel.

On Fri, 7 Sep 2018 14:02:01 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:
> > On Fri, 7 Sep 2018 11:22:36 +0200
> > "Stefan G. Weichinger via samba" <samba at
lists.samba.org> wrote:
> > 
> >>
> >> At a customer server (gentoo linux, so far only Samba version
> >> 4.7.7) we tried to use Windows ACLs and failed:
> >>
> >> no security tab in Windows ... for local C: yes, not on samba
> >> shares
> >>
> >> Yes, I followed
> >>
> >>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >>
> >> and have the vfs module enabled etc
> >>
> >> -
> >>
> >> Now I consider that the kernel doesn't have the necessary
flags
> >> set.
> >>
> >> I get
> >>
> >> # getfattr -n security.NTACL -d  /mnt/MSA2040/smb/IT
> >> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported
> >>
> >> but
> >>
> >> # getfacl /mnt/MSA2040/smb/IT
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: mnt/MSA2040/smb/IT
> >> # owner: ittner
> >> # group: dom�nen-benutzer
> >> user::rwx
> >> group::rwx
> >> other::r-x
> >>
> >> -
> >>
> >>   From the old kernel config I see these flags unset:
> >>
> >> # CONFIG_EXT4_FS_POSIX_ACL is not set
> >> # CONFIG_EXT4_FS_SECURITY is not set
> >>
> >> So I prepared a new kernel with these 2 flags enabled and will
> >> reboot at 2:30pm ... We'll see!
> >>
> >> Any other issues I might miss here?
> >>
> >>
> > 
> > Apart from the fact getattr works on an EA and getfacl works on
> > extended ACL's i.e. different things ? ;-)
> 
> what? One works, the other not ... I interpret that the kernel
> doesn't support the ACL-feature of ext4
From what you have posted it doesn't, but when you do get then working,
you need to understand that EA's and ACL's can work together or
independently.
If 'acl_xattr:ignore system acls = yes' is set, they work
independently, if it isn't, they work together, see 'man
vfs_acl_xattr' for more info. 
> 
> 
> > Stop me if I am wrong, but isn't 'benutzer' German for
'users' ?
> > What is the the German for 'admins' ?
> 
> wbinfo -g
> 
> shows "dom�nen-admins"
> 
> while
> 
> 
> # wbinfo -g | grep -i admin
> specops endpoint protection report admins
> dnsadmins
> schema-admins
> organisations-admins
> Binary file (standard input) matches
> 
> ?? no "domänen-admins" in here
Very strange, I get:
enterprise admins
domain admins
schema admins
dnsadmins

Okay, hands up, who kidnapped 'enterprise admins' & 'domain
admins' :-)
> 
> and
> 
> net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege
-U
> "DOM\administrator"
> 
> fails because the group is not found
Well it would fail, wouldn't it, your 'domain admins' group has been
kidnapped.
> 
> I asked that already some times ago
> 
> and I try to work around that by granting that right to a group
> called IT and the few admins in there

We need to find if the group has actually disappeared.

Run this on a DC:

ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' -UAdministrator

Replace 'dc3' with the DC's name.

It should display the Domain Admins object
> 
> At 2:30pm we plan to reboot into the other kernel.
> 
> 
See here: https://wiki.samba.org/index.php/File_System_Support

If it passes the tests there, you should be good to go.

Rowland

Am 07.09.18 um 15:25 schrieb Rowland Penny via samba:
>  From what you have posted it doesn't, but when you do get then
working,
> you need to understand that EA's and ACL's can work together or
> independently.
> If 'acl_xattr:ignore system acls = yes' is set, they work
> independently, if it isn't, they work together, see 'man
> vfs_acl_xattr' for more info.
Ok, I will try to remember, so far I have other non-samba issues, see below.
>> ?? no "domänen-admins" in here
> We need to find if the group has actually disappeared.
> 
> Run this on a DC:
> 
> ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)'
-UAdministrator
> 
> Replace 'dc3' with the DC's name.
> 
> It should display the Domain Admins object
The DC there is a windows server ...

I think: no ->

# ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)'
-UAdministrator

[..]

# returned 3 records
# 0 entries
# 3 referrals

> See here: https://wiki.samba.org/index.php/File_System_Support
> 
> If it passes the tests there, you should be good to go.
yes, I know, ext4 -> ok

I had to return to the former kernel because my newer kernel with its 
lpfc module could not talk correctly to the SAN. Booted older kernel and 
have to research that first.

Sure I could enable the 2 parameters for the old kernel as well, but I 
avoided doing that right now ... I have to make sure that I always keep 
a valid kernel etc and want to plan things without a hurry / the server 
is a few 100 km away ...

so ... next week ;-)