Steve French
2019-Feb-28 19:48 UTC
[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
ACL management can be done for SMB2/SMB3 ACLs with two common tools depending on your preference. smbcacls (somewhat similar to using cacls.exe or icacls.exe in Windows but specifying the UNC name rather than a local path name). smbcacls sets up and tears down a network connection each time it is run and uses Samba user space code. or setcifsacl/getcifsacl (which calls cifs.ko to access the ACL from the SMB3 mount) I have run into a few problems in the past with smbcacls with Kerberos (I need to post more details on that on samba-technical or dive in and fix it), and am fixing a problem currently with running setcifsacl (get works fine) to Azure, but setcifsacl has worked fine in my experience to a variety of servers (Windows, Samba etc.) If you are getting rc=-95 from getcifsacl or setcifsacl the most likely reason is that the local path you specified is not on an cifs.ko (e.g. SMB3) mount. It is also possible that ACL support was disabled when building cifs.ko (you can do "cat /proc/fs/cifs/DebugData | grep Features" to list the build options that were used to build cifs.ko such as whether ACL support was enabled) On Tue, Feb 26, 2019 at 03:05:12PM +0000, Kraus, Sebastian via samba wrote:> Dear all, > what is about the support for POSIX ACL in Samba protocol implementation of SMB2 and SMB3? > From what I extracted from SNIA and SambaXP developer conference talks and as well as the official Samba Wiki, > support for POSIX ACL in SMB2 and SMB3 has been completely abandonned. Am I right? > If so, is there any other possibility to allow Linux Clients to natively access access control lists > (via NT Security Descriptor, NFSv4 ACL, CIFS ACL) under SMB2/SMB3 on commandline and/or from GUI applications?-- Thanks, Steve
ronnie sahlberg
2019-Feb-28 22:05 UTC
[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
In current kernels we have the new IOCTL / QueryInfo passthrough where you can use a simple ioctl() on an object in a SMB2/3 share and pull the full security descriptor. It would be fairly trivial to expand this to allow setting the security descriptor too using SetInfo. We can add that when there is a need. Now, since this is available through a simple ioctl() interface, you can access this from almost any language that has support for calling the ioctl() syscall. What I think would be really awesome is if we had a python tool that mimics the same UI as you have in explorer when you go to properties/security/... That would be really really nice. Anyone that wants to take a stab at implementing this, reach out to me and I can assist/advice. Once we have a tool like this with a nice operational UI. We can start petition Nautilus and other FileManager folks to integrate it. That would be super awesome. regards ronnie sahlberg On Fri, Mar 1, 2019 at 5:49 AM Steve French via samba-technical <samba-technical at lists.samba.org> wrote:> > ACL management can be done for SMB2/SMB3 ACLs with two common tools > depending on your preference. > > smbcacls (somewhat similar to using cacls.exe or icacls.exe in > Windows but specifying the UNC name rather than a local path name). > smbcacls sets up and tears down a network connection each time it is > run and uses Samba user space code. > > or setcifsacl/getcifsacl (which calls cifs.ko to access the ACL from > the SMB3 mount) > > I have run into a few problems in the past with smbcacls with Kerberos > (I need to post more details on that on samba-technical or dive in and > fix it), and am fixing a problem currently with running setcifsacl > (get works fine) to Azure, but setcifsacl has worked fine in my > experience to a variety of servers (Windows, Samba etc.) > > If you are getting rc=-95 from getcifsacl or setcifsacl the most > likely reason is that the local path you specified is not on an > cifs.ko (e.g. SMB3) mount. It is also possible that ACL support was > disabled when building cifs.ko (you can do "cat > /proc/fs/cifs/DebugData | grep Features" to list the build options > that were used to build cifs.ko such as whether ACL support was > enabled) > > On Tue, Feb 26, 2019 at 03:05:12PM +0000, Kraus, Sebastian via samba wrote: > > Dear all, > > what is about the support for POSIX ACL in Samba protocol implementation of SMB2 and SMB3? > > From what I extracted from SNIA and SambaXP developer conference talks and as well as the official Samba Wiki, > > support for POSIX ACL in SMB2 and SMB3 has been completely abandonned. Am I right? > > If so, is there any other possibility to allow Linux Clients to natively access access control lists > > (via NT Security Descriptor, NFSv4 ACL, CIFS ACL) under SMB2/SMB3 on commandline and/or from GUI applications? > > > -- > Thanks, > > Steve >
Jeremy Allison
2019-Feb-28 23:21 UTC
[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
On Fri, Mar 01, 2019 at 08:05:52AM +1000, ronnie sahlberg wrote:> In current kernels we have the new IOCTL / QueryInfo passthrough where > you can use a simple ioctl() on an object in a SMB2/3 share and pull > the full security descriptor. > It would be fairly trivial to expand this to allow setting the > security descriptor too using SetInfo. We can add that when there is a > need. > > Now, since this is available through a simple ioctl() interface, you > can access this from almost any language that has support for calling > the ioctl() syscall. > > What I think would be really awesome is if we had a python tool that > mimics the same UI as you have in explorer when you go to > properties/security/... > That would be really really nice. > Anyone that wants to take a stab at implementing this, reach out to me > and I can assist/advice. > > Once we have a tool like this with a nice operational UI. We can start > petition Nautilus and other FileManager folks to integrate it. > That would be super awesome.Sounds like a great Summer of Code Samba project (hint hint :-).
Possibly Parallel Threads
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients