Hi,
I have issues seeing Windows ACL in Linux with `getfacl`.
It is something similar to what I wrote in this mailing list
on Feb 24, 2021. But that time I solved mounting the Samba shared
filesystem with "vers=1.0". Nowadays, in Debian 11, this
parameter is not accepted anymore.
Q. The first thing I would like to know from you is this,
is it possible at all to make `getfacl` work in a Samba share
with Windows ACL ? Have any of you succeded in doing it ?
(after mounting parameter "vers=1.0" is not available by default)
My setup
--------------------
. all my Linux computers are Debian-11, stable
. all software comes from packages
. the directories that i share via samba are always from an underlying ext4
filesystem.
. all the Samba version are
------------------
*$> sudo samba --version*
Version 4.13.13-Debian
------------------------------
. I have a Windows Domain made from a Samba DC, its hostname
is "dc1.windom.borghi.lan"
----- dc1:/etc/samba/smb.conf ------------
# Global parameters
[global]
dns forwarder = 172.16.3.49
netbios name = DC1
realm = WINDOM.BORGHI.LAN
server role = active directory domain controller
workgroup = WINDOM
idmap_ldb:use rfc2307 = yes
# . per log
log level = 1 auth_json_audit:3
# log level = 1 auth_audit:3 auth_json_audit:3
# log level = 1 auth_audit:3
# . per la propagazione delle group policy
apply group policies = yes
# . per avere ssh senza scrivere password
kerberos method = secrets and keytab
winbind refresh tickets = yes
[netlogon]
path = /var/lib/samba/sysvol/windom.borghi.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
------------------------------------------
. The domain is working well since about 2 years,
we have about 20 Windows client and about 10 Linux servers.
. The only thing that gives me headaches are these shared disk(s)
permissions.
. I have just installed a backup unit in the domain
`backup2.windom.borghi.lan`
it shares a directory
----- backup2:/etc/samba/smb.conf ----------------
[global]
workgroup = WINDOM
security = ADS
realm = WINDOM.BORGHI.LAN
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# ho un solo dominio, quindi potrei supporre "WINDOM"
# ma preferisco visualizzare gli utenti del dominio come
"WINDOM\userX"
# per chiarezza, quindi tengo quest'opzione commentata.
# winbind use default domain = yes
# rimuovere dopo il testing
# -> senza questi "getent passwd" e "getent group"
danno solo gli user
locali
winbind enum users = yes
winbind enum groups = yes
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logs
log file = /var/log/samba/%m.log
log level = 1
# ---- ID mapping backend rid -------
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the WINDOM domain
idmap config WINDOM : backend = rid
idmap config WINDOM : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/WINDOM-%U
# mappare "Administrator" a "root"
username map = /usr/local/samba/etc/user.map
# directory che funge da disco in condivisione
[sambaDisk]
path = /mnt/raid1
read only = no
#
# --- mask di default per gli utenti
create mask = 777
directory mask = 777
#
# force user = root
force group = adm
# carica moduli che servono
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
-------------------------------------------------
. I can use `setfacl` in `backup2` to set permissions Windows ACL
. I can use `getfacl` to see the permissions in `backup2`
. I can see the permissions mounting \\backup2\sambaDisk in Windows 10, no
problem
. Now, i set a Linux as a domain member `linte` and i try to mount from
there
----- linte:/etc/samba/smb.conf ----------------
[global]
workgroup = WINDOM
security = ADS
realm = WINDOM.BORGHI.LAN
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# ho un solo dominio, quindi mi conviene non dover digitare sempre
# user invece di "WINDOM\user"
# winbind use default domain = yes
# rimuovere dopo il testing
winbind enum users = yes
winbind enum groups = yes
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logs
log file = /var/log/samba/%m.log
log level = 1
# ---- ID mapping backend rid -------
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config WINDOM : backend = rid
idmap config WINDOM : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/WINDOM-%U
# mappare "Administrator" a "root"
username map = /usr/local/samba/etc/user.map
------------------------------------------------
. If i try to mount with "vers=1.0" it does not work, i get errors
-----
*p at linte $> sudo mount -t cifs -o
version=1.0,username=nicola,domain=WINDOM,uid=p
//backup2.windom.borghi.lan/sambaDisk /mnt/test/*
-----
. If I try to mount with "vers=3.11" it gets mounted, but `getfact`
does
not work, instead `getcifsacl` gives reasonable results
-----
*p at linte $> sudo mount -t cifs -o
vers=3.11,username=nicola,domain=WINDOM,uid=p
//backup2.windom.borghi.lan/sambaDisk /mnt/test/*
Password for nicola@//backup2.windom.borghi.lan/sambaDisk:
*p at linte $> getfacl /mnt/test/ *
getfacl: Removing leading '/' from absolute path names
# file: mnt/test/
# owner: p
# group: root
user::rwx
group::r-x
other::r-x
*p at linte $> getcifsacl /mnt/test/ *
# filename: /mnt/test/
REVISION:0x1
CONTROL:0x8004
OWNER:UNIX USER\root
GROUP:Unix Group\adm
ACL:WINDOM\g-backup:ALLOWED/OI|CI/FULL
ACL:\Everyone:ALLOWED/OI|CI/READ
ACL:UNIX USER\root:ALLOWED/0x0/FULL
ACL:Unix Group\adm:ALLOWED/0x0/READ
ACL:\Creator Owner:ALLOWED/OI|CI|IO/FULL
ACL:\Creator Group:ALLOWED/OI|CI|IO/READ
-----
Do you have any suggestion ?
Bye
Nicola