Mandi! Rowland penny via samba In chel di` si favelave...> > And my Windows client works happily! > If you only had Unix clients, then you could stick with this way of doing > things, but you have Windows clients, so you need to work the Windows way > and make your Unix clients work the same way.No. In these years i've worked with 'POSIX ACLs', setting up scripts to 'cleanup/sanitize' POSIX ACLs so they behave correctly on windows. I prefere to have (rather) simpler ACLs, but be able to manage it (also) from UNIX, in a UNIX way. Anyway, it is not true that 'Windows ACLs' is the only way to make domain member works in respect to windows client (clearly, domain controller is another story...).> > Also, for the tests i've done, 'windows ACL' works as depicted on the > > wiki page if and only if you set also: > > acl_xattr:ignore system acls = yes > > acl_xattr:default acl style = windows > It works for me without those lines.Boh, I'll do some more test... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 05/02/2020 15:35, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >>> And my Windows client works happily! >> If you only had Unix clients, then you could stick with this way of doing >> things, but you have Windows clients, so you need to work the Windows way >> and make your Unix clients work the same way. > No. In these years i've worked with 'POSIX ACLs', setting up scripts to > 'cleanup/sanitize' POSIX ACLs so they behave correctly on windows. > I prefere to have (rather) simpler ACLs, but be able to manage it (also) > from UNIX, in a UNIX way.Exactly, 'these years' refer to running as an nt4-style domain. You are now running in an AD domain.> > Anyway, it is not true that 'Windows ACLs' is the only way to make > domain member works in respect to windows client (clearly, domain > controller is another story...).No, using a DC as a fileserver is just like using a Unix domain member with 'acl_xattr', you MUST use Windows ACLs on a DC and you MUST use acl_xattr on a Unix domain member if you have Windows clients, which means you MUST use Windows ACLs. FYI: there are three ACLs in play here, the standard Unix permissions 'ugo', extended permissions that getfacl displays and and an EA that holds the permissions set from Windows. Rowland
Mandi! Rowland penny via samba In chel di` si favelave...> you MUST use Windows ACLs on a DCSure! Never doubted about that!> and you MUST use acl_xattr on > a Unix domain member if you have Windows clients, which means you MUST use > Windows ACLs.Why you say 'MUST'? You MUST use acl_xattr on a Unix domain member to have ACLs on Windows Clients behave exactly as in Window Server, but POSIX acl works as expected (eg, as POSIX ACLs plus a bit of 'magic') also in windows! Probably is my fault, but if you have your brain that think in UNIX and not in Windows, work with POSIX ACLs is perfectly doable... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)