Matthias Leopold
2019-Nov-14 20:45 UTC
[Samba] mixing Windows ACL and POSIX ACL shares on one server?
Hi, I posted a similar question in 2018 with no answers, so I'll try again: Is it possible to have shares with Windows ACLs and shares with POSIX ACLs on the same server (security = user)? Since share permissions are handled differently for both types of shares I'm not sure if this will work. I know I could try it out myself, but the question again just came to my mind and I think there will be clear answer by someone who knows. thank you Matthias
Rowland penny
2019-Nov-14 21:12 UTC
[Samba] mixing Windows ACL and POSIX ACL shares on one server?
On 14/11/2019 20:45, Matthias Leopold via samba wrote:> Hi, > > I posted a similar question in 2018 with no answers, so I'll try again: > Is it possible to have shares with Windows ACLs and shares with POSIX > ACLs on the same server (security = user)? Since share permissions are > handled differently for both types of shares I'm not sure if this will > work. I know I could try it out myself, but the question again just > came to my mind and I think there will be clear answer by someone who > knows. > > thank you > Matthias >'security = user' means an NT4-style PDC or a standalone server, so you might be able to make this work, but it would mean using the same usernames etc everywhere. To make the share use Windows ACLs, you would have to add 'vfs objects = acl_xattr' to the share config. Whether this is a good idea, I am not sure, I mean, what is the user case ? Why would you want to do this, you would probably be better off joining the machine to an AD domain and using Windows ACLs. Rowland
Matthias Leopold
2019-Nov-14 21:33 UTC
[Samba] mixing Windows ACL and POSIX ACL shares on one server?
Am 14.11.19 um 22:12 schrieb Rowland penny via samba:> On 14/11/2019 20:45, Matthias Leopold via samba wrote: >> Hi, >> >> I posted a similar question in 2018 with no answers, so I'll try again: >> Is it possible to have shares with Windows ACLs and shares with POSIX >> ACLs on the same server (security = user)? Since share permissions are >> handled differently for both types of shares I'm not sure if this will >> work. I know I could try it out myself, but the question again just >> came to my mind and I think there will be clear answer by someone who >> knows. >> >> thank you >> Matthias >> > 'security = user' means an NT4-style PDC or a standalone server, so you > might be able to make this work, but it would mean using the same > usernames etc everywhere. To make the share use Windows ACLs, you would > have to add 'vfs objects = acl_xattr' to the share config. > > Whether this is a good idea, I am not sure, I mean, what is the user > case ? Why would you want to do this, you would probably be better off > joining the machine to an AD domain and using Windows ACLs. > > Rowland > >Thanks for answer. The use case is an existing server with LDAP backend (I described it already here), that started with POSIX ACL shares. I discovered the possibilities of Windows ACLs on another LDAP backed server and now want to further use Windows ACLs on the first server without touching the old shares. This might not look pretty, but this is the situation when you deal with "historically grown" setups. Similar situation with LDAP vs AD, I'd like to have an AD, management does not. Matthias
Andrew Bartlett
2019-Nov-14 21:51 UTC
[Samba] mixing Windows ACL and POSIX ACL shares on one server?
On Thu, 2019-11-14 at 21:45 +0100, Matthias Leopold via samba wrote:> Hi, > > I posted a similar question in 2018 with no answers, so I'll try > again: > Is it possible to have shares with Windows ACLs and shares with > POSIX > ACLs on the same server (security = user)? Since share permissions > are > handled differently for both types of shares I'm not sure if this > will > work. I know I could try it out myself, but the question again just > came > to my mind and I think there will be clear answer by someone who > knows.Yes, use acl_xattr to store the windows acl if you want that handled faithfully. The last ACL to be set will win. If you set a POSIX ACL then any windows ACL that has been set will be ignored. If you set a windows ACL on the same file then it will be translated into posix and also stored. So, the idea is that it would 'just work'. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Jeremy Allison
2019-Nov-14 22:03 UTC
[Samba] mixing Windows ACL and POSIX ACL shares on one server?
On Fri, Nov 15, 2019 at 10:51:41AM +1300, Andrew Bartlett via samba wrote:> On Thu, 2019-11-14 at 21:45 +0100, Matthias Leopold via samba wrote: > > Hi, > > > > I posted a similar question in 2018 with no answers, so I'll try > > again: > > Is it possible to have shares with Windows ACLs and shares with > > POSIX > > ACLs on the same server (security = user)? Since share permissions > > are > > handled differently for both types of shares I'm not sure if this > > will > > work. I know I could try it out myself, but the question again just > > came > > to my mind and I think there will be clear answer by someone who > > knows. > > Yes, use acl_xattr to store the windows acl if you want that handled > faithfully. The last ACL to be set will win. > > If you set a POSIX ACL then any windows ACL that has been set will be > ignored. If you set a windows ACL on the same file then it will be > translated into posix and also stored. > > So, the idea is that it would 'just work'.Yep, +1 Andrew, that's the way it's meant to work (was designed that way). There might be some tricky corner cases but mostly this is the way most Samba installs use ACLs.