samba - Nov 2019 - mixing Windows ACL and POSIX ACL shares on one server?

On Fri, Nov 15, 2019 at 10:51:41AM +1300, Andrew Bartlett via samba
wrote:
> On Thu, 2019-11-14 at 21:45 +0100, Matthias Leopold via samba wrote:
> > Hi,
> > 
> > I posted a similar question in 2018 with no answers, so I'll try
> > again:
> > Is it possible to have shares with Windows ACLs and shares with
> > POSIX 
> > ACLs on the same server (security = user)? Since share permissions
> > are 
> > handled differently for both types of shares I'm not sure if this
> > will 
> > work. I know I could try it out myself, but the question again just
> > came 
> > to my mind and I think there will be clear answer by someone who
> > knows.
> 
> Yes, use acl_xattr to store the windows acl if you want that handled
> faithfully.  The last ACL to be set will win. 
> 
> If you set a POSIX ACL then any windows ACL that has been set will be
> ignored.  If you set a windows ACL on the same file then it will be
> translated into posix and also stored.
> 
> So, the idea is that it would 'just work'.
Yep, +1 Andrew, that's the way it's meant to work (was
designed that way). There might be some tricky corner
cases but mostly this is the way most Samba installs
use ACLs.

Am 14.11.19 um 23:03 schrieb Jeremy Allison via samba:
> On Fri, Nov 15, 2019 at 10:51:41AM +1300, Andrew Bartlett via samba wrote:
>> On Thu, 2019-11-14 at 21:45 +0100, Matthias Leopold via samba wrote:
>>> Hi,
>>>
>>> I posted a similar question in 2018 with no answers, so I'll
try
>>> again:
>>> Is it possible to have shares with Windows ACLs and shares with
>>> POSIX
>>> ACLs on the same server (security = user)? Since share permissions
>>> are
>>> handled differently for both types of shares I'm not sure if
this
>>> will
>>> work. I know I could try it out myself, but the question again just
>>> came
>>> to my mind and I think there will be clear answer by someone who
>>> knows.
>>
>> Yes, use acl_xattr to store the windows acl if you want that handled
>> faithfully.  The last ACL to be set will win.
>>
>> If you set a POSIX ACL then any windows ACL that has been set will be
>> ignored.  If you set a windows ACL on the same file then it will be
>> translated into posix and also stored.
>>
>> So, the idea is that it would 'just work'.
> 
> Yep, +1 Andrew, that's the way it's meant to work (was
> designed that way). There might be some tricky corner
> cases but mostly this is the way most Samba installs
> use ACLs.
> 
thank you. you are all focusing on ACLs, I'm rather sure they will work, 
my concern is rather management of share permissions. will 
share_info.tdb (Windows ACL share) work alongside with "valid users" 
(POSIX ACL share)?

Matthias

On Thu, 2019-11-14 at 23:29 +0100, Matthias Leopold
wrote:
> 
> 
> thank you. you are all focusing on ACLs, I'm rather sure they will
> work, 
> my concern is rather management of share permissions. will 
> share_info.tdb (Windows ACL share) work alongside with "valid
users"
> (POSIX ACL share)?
> 
> Matthias
Both apply to all clients (one then the other).

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Matthias,

I used setfacl to set POSIX and Ad ACLS. Windows users who are in the
appropriate group can manage perms for both.

Cheers,
Tim

On Thu, Nov 14, 2019 at 3:43 PM Matthias Leopold via samba <
samba at lists.samba.org> wrote:
>
>
> Am 14.11.19 um 23:03 schrieb Jeremy Allison via samba:
> > On Fri, Nov 15, 2019 at 10:51:41AM +1300, Andrew Bartlett via samba
> wrote:
> >> On Thu, 2019-11-14 at 21:45 +0100, Matthias Leopold via samba
wrote:
> >>> Hi,
> >>>
> >>> I posted a similar question in 2018 with no answers, so
I'll try
> >>> again:
> >>> Is it possible to have shares with Windows ACLs and shares
with
> >>> POSIX
> >>> ACLs on the same server (security = user)? Since share
permissions
> >>> are
> >>> handled differently for both types of shares I'm not sure
if this
> >>> will
> >>> work. I know I could try it out myself, but the question again
just
> >>> came
> >>> to my mind and I think there will be clear answer by someone
who
> >>> knows.
> >>
> >> Yes, use acl_xattr to store the windows acl if you want that
handled
> >> faithfully.  The last ACL to be set will win.
> >>
> >> If you set a POSIX ACL then any windows ACL that has been set will
be
> >> ignored.  If you set a windows ACL on the same file then it will
be
> >> translated into posix and also stored.
> >>
> >> So, the idea is that it would 'just work'.
> >
> > Yep, +1 Andrew, that's the way it's meant to work (was
> > designed that way). There might be some tricky corner
> > cases but mostly this is the way most Samba installs
> > use ACLs.
> >
>
> thank you. you are all focusing on ACLs, I'm rather sure they will
work,
> my concern is rather management of share permissions. will
> share_info.tdb (Windows ACL share) work alongside with "valid
users"
> (POSIX ACL share)?
>
> Matthias
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Tim Brewer
Field Services Tech - ETS FS region 2
Wyoming Department of Enterprise Technology Services
2020 Grand Ave.
Laramie, WY 82070
tim.brewer at wyo.gov
website:  ets.wyo.gov
Support:  307-777-5000
Direct Line:  307-343-3183

Ensuring Wyoming has trailblazing technology to meet tomorrows challenges
while delivering the finest in business services today.

-- 

E-Mail to and from me, in connection with the transaction 
of public 
business, is subject to the Wyoming Public Records 
Act and may be 
disclosed to third parties.