Matthias Leopold
2019-Jan-23 10:50 UTC
[Samba] Windows ACL behaviour in standalone fileservers (LDAP vs TDB)
Hi, I'm building and managing standalone fileservers (security = user) with various passdb backends. I'm noticing different behaviour of Windows ACLs for servers with LDAP and TDB passdb backends. In a LDAP backed server (which I started with) I can freely add filesystem permissions (eg for groups) to objects (files/folders) via the Windows (7) permissions editor. In a TDB backed server I can only add permission to a folder for a group if the containing folder has (any) permissions for that group. Additionally I have to enter my credentials again in the permissions editor, which isn't needed on the LDAP backed server. Configuration for both servers from a "result view" looks identical to me: - "net groupmap list" is identical - both use "security = user" and "acl_xattr" I'm obviously not an expert for Windows ACLs, a workmate Windows Admin told me that the second behaviour is what he would expect, still I'm confused. Samba is 4.8.3 on CentOS 7. thx Matthias
Matthias Leopold
2019-Jan-28 09:09 UTC
[Samba] Windows ACL behaviour in standalone fileservers (LDAP vs TDB)
I noticed I didn't ask a question ;-) Has anybody seen this behaviour? Can this be explained? thank you matthias Am 23.01.19 um 11:50 schrieb Matthias Leopold via samba:> Hi, > > I'm building and managing standalone fileservers (security = user) with > various passdb backends. I'm noticing different behaviour of Windows > ACLs for servers with LDAP and TDB passdb backends. > > In a LDAP backed server (which I started with) I can freely add > filesystem permissions (eg for groups) to objects (files/folders) via > the Windows (7) permissions editor. > > In a TDB backed server I can only add permission to a folder for a group > if the containing folder has (any) permissions for that group. > Additionally I have to enter my credentials again in the permissions > editor, which isn't needed on the LDAP backed server. > > Configuration for both servers from a "result view" looks identical to me: > - "net groupmap list" is identical > - both use "security = user" and "acl_xattr" > > I'm obviously not an expert for Windows ACLs, a workmate Windows Admin > told me that the second behaviour is what he would expect, still I'm > confused. > > Samba is 4.8.3 on CentOS 7. > > thx > Matthias >
Rowland Penny
2019-Jan-28 10:00 UTC
[Samba] Windows ACL behaviour in standalone fileservers (LDAP vs TDB)
On Mon, 28 Jan 2019 10:09:43 +0100 Matthias Leopold via samba <samba at lists.samba.org> wrote:> I noticed I didn't ask a question ;-) >I noticed that you didn't give us much to work with ;-) Can you post the smb.conf files from the working ldap machine and the non-working 'tdb' machine. Rowland