samba - Jan 2019 - Windows ACLs on share

Am 03.01.19 um 15:29 schrieb Rowland Penny via samba:
> On Thu, 3 Jan 2019 15:08:46 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
>>
>> We are in the process of switching over shares from the old way of
>> doing this to Windows ACLs:
>>
>> disable "valid users" "write list" etc
>>
>> and set ACLs via Windows Explorer ...
>>
>> And I struggle.
> 
> Are you following this:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
yes
>> I am asking for a way to "start ACLs from scratch".
>>
>> I ran "setfacl -b -R" on the dir on the samba server and did
a "chown
>> -R root:10513" to hand it to "domain users"
> 
> That isn't using Windows ACLs
Sure. I just wanted to get things going by adjusting ... ok ok
>> in Windows Explorer we try to edit the Permissions in "Computer
>> Management" and get errors around writing to some
"container" (I get
>> the msg in german, would have to google for english error msg)
> 
> Please either post the message as is, or the google translation.
it is "Failed to enumerate objects in the container: Access is denied"
>> Could someone pls advise?
>>
>> Addon: a second share works fine with ACLs already, so samba itself
>> should be OK.
>>
> 
> If it works on one share, it should work on all, perhaps posting
> smb.conf may help.
sure, sorry.

This is samba-4.8.6, DM server, gentoo. If important, I don't have
"samba-tool" binary, due to some gentoo specific issue ...

-

smb.conf, shortened and anonymized.
pls note the heading:

# cat /etc/samba/smb.conf
# Samba config file
# from sgw 2018/jun/15
# with help from Rowland

[global]
unix charset = iso8859-15

security = ads
realm = somecompany.INTRA
workgroup = somecompany

netbios aliases = u1somecompany
server string = U1somecompany

winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes

template homedir = /mnt/MSA2040/smb/Homes/%D/%U

restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
		uucp
obey pam restrictions = yes

interfaces = 192.168.100.4/24 127.0.0.1
bind interfaces only = Yes

idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config somecompany : range = 10000-20000
idmap config somecompany : backend = rid

# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes

unix extensions = no
follow symlinks= yes
wide links= yes

load printers = no
printcap name = /dev/null

acl allow execute always = True

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir write pwrite rename unlink \
		     chmod fchmod chown fchown ftruncate
full_audit:facility = local5
full_audit:priority = notice

[homes]
	comment = Home Directories
	#path = /mnt/MSA2040/smb/Homes/somecompany/%U
	#path = /mnt/MSA2040/smb/Homes/somecompany/%S
	valid users = %S
	browseable = yes
	read only = no
	create mode = 0750
	#directory mask = 0700

[projekte]
	path = /mnt/MSA2040/smb/Projekte
	read only = No

[QM]
	path = /mnt/MSA2040/smb/QM
	read only = No


--

observation, maybe important:

getfattr -n security.NTACL -d Projekte
# file: Projekte
security.NTACL=0sBAAEAAAAAgAEAAIAAQDPcJWX0PElycPlTWY5GQ2vHNASQZp1ahdwnxK9pPQOkQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsANqqf4Rco9QBQqh68tlziCDIPZBNBW5uQk5ZroNcgwq3+eRnXtIf9n0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAAxAAAAAAAAADUAAAAAQIAAAAAABYBAAAAAAAAAAECAAAAAAAWAgAAAOkDAAACANAACAAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAP8BHwABAQAAAAAAAQAAAAAAABgA/wEfAAECAAAAAAAWAQAAAAAAAAAAABgA/wEfAAECAAAAAAAWAgAAAOkDAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAL8BEwABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF0BQAAAAMkAKkAEgABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF3BQAA

# getfattr -n security.NTACL -d QM/
QM/: security.NTACL: No such attribute


(share "projekte" works fine, share "QM" not)

On Thu, 3 Jan 2019 15:46:24 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 03.01.19 um 15:29 schrieb Rowland Penny via samba:
> > On Thu, 3 Jan 2019 15:08:46 +0100
> > "Stefan G. Weichinger via samba" <samba at
lists.samba.org> wrote:
> > 
> >>
> >> We are in the process of switching over shares from the old way of
> >> doing this to Windows ACLs:
> >>
> >> disable "valid users" "write list" etc
> >>
> >> and set ACLs via Windows Explorer ...
> >>
> >> And I struggle.
> > 
> > Are you following this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> yes
> 
> >> I am asking for a way to "start ACLs from scratch".
> >>
> >> I ran "setfacl -b -R" on the dir on the samba server and
did a
> >> "chown -R root:10513" to hand it to "domain
users"
> > 
> > That isn't using Windows ACLs
> 
> Sure. I just wanted to get things going by adjusting ... ok ok
> 
> >> in Windows Explorer we try to edit the Permissions in
"Computer
> >> Management" and get errors around writing to some
"container" (I
> >> get the msg in german, would have to google for english error msg)
> > 
> > Please either post the message as is, or the google translation.
> 
> it is "Failed to enumerate objects in the container: Access is
denied"
> 
> >> Could someone pls advise?
> >>
> >> Addon: a second share works fine with ACLs already, so samba
itself
> >> should be OK.
> >>
> > 
> > If it works on one share, it should work on all, perhaps posting
> > smb.conf may help.
> 
> sure, sorry.
> 
> This is samba-4.8.6, DM server, gentoo. If important, I don't have
> "samba-tool" binary, due to some gentoo specific issue ...
> 
> -
> 
> smb.conf, shortened and anonymized.
> pls note the heading:
> 
> # cat /etc/samba/smb.conf
> # Samba config file
> # from sgw 2018/jun/15
> # with help from Rowland
> 
> [global]
> unix charset = iso8859-15
> 
> security = ads
> realm = somecompany.INTRA
> workgroup = somecompany
> 
> netbios aliases = u1somecompany
> server string = U1somecompany
> 
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
> 
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
> 
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> invalid users = root bin daemon adm sync shutdown halt mail news \
> 		uucp
> obey pam restrictions = yes
> 
> interfaces = 192.168.100.4/24 127.0.0.1
> bind interfaces only = Yes
> 
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config somecompany : range = 10000-20000
> idmap config somecompany : backend = rid
> 
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
> 
> unix extensions = no
> follow symlinks= yes
> wide links= yes
> 
> load printers = no
> printcap name = /dev/null
> 
> acl allow execute always = True
> 
> # Audit settings
> full_audit:prefix = %u|%I|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir write pwrite rename unlink \
> 		     chmod fchmod chown fchown ftruncate
> full_audit:facility = local5
> full_audit:priority = notice
> 
> [homes]
> 	comment = Home Directories
> 	#path = /mnt/MSA2040/smb/Homes/somecompany/%U
> 	#path = /mnt/MSA2040/smb/Homes/somecompany/%S
> 	valid users = %S
> 	browseable = yes
> 	read only = no
> 	create mode = 0750
> 	#directory mask = 0700
> 
> [projekte]
> 	path = /mnt/MSA2040/smb/Projekte
> 	read only = No
> 
> [QM]
> 	path = /mnt/MSA2040/smb/QM
> 	read only = No
> 
> 
> --
> 
> observation, maybe important:
Oh, it's more than important, guess where the Windows ACLs are
stored ;-)
> 
> getfattr -n security.NTACL -d Projekte
> # file: Projekte
>
security.NTACL=0sBAAEAAAAAgAEAAIAAQDPcJWX0PElycPlTWY5GQ2vHNASQZp1ahdwnxK9pPQOkQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsANqqf4Rco9QBQqh68tlziCDIPZBNBW5uQk5ZroNcgwq3+eRnXtIf9n0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAAxAAAAAAAAADUAAAAAQIAAAAAABYBAAAAAAAAAAECAAAAAAAWAgAAAOkDAAACANAACAAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAP8BHwABAQAAAAAAAQAAAAAAABgA/wEfAAECAAAAAAAWAQAAAAAAAAAAABgA/wEfAAECAAAAAAAWAgAAAOkDAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAL8BEwABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF0BQAAAAMkAKkAEgABBQAAAAAABRUAAABsK0B5jZbdG/hJqYF3BQAA
> 
> # getfattr -n security.NTACL -d QM/
> QM/: security.NTACL: No such attribute
> 
> 
> (share "projekte" works fine, share "QM" not)
are they both using the same filesystem, ownership etc ?

Rowland

Am 03.01.19 um 16:19 schrieb Rowland Penny via samba:
> On Thu, 3 Jan 2019 15:46:24 +0100 "Stefan G. Weichinger via
samba"
> <samba at lists.samba.org> wrote:
>> observation, maybe important:
> 
> Oh, it's more than important, guess where the Windows ACLs are stored
> ;-)
hmm ... ? ;)
>> (share "projekte" works fine, share "QM" not)
> 
> are they both using the same filesystem, ownership etc ?
Yes.


# MSA2040_SAMBA_storage
/dev/sdc1		/mnt/MSA2040	ext4		noatime		0 1


both shares are subdirs of /mnt/MSA2040/smb

drwxrwxrwx+  32 root   qm                4096  3. Jän 11:48 Projekte


drwxr-x---   47 root   dom�nen-benutzer  4096  3. Jän 14:43 QM


That mismatch of owner group comes from my desparate fiddling ...