Rowland Penny
2023-Jan-14 15:39 UTC
[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
On 14/01/2023 14:45, Peter Milesson via samba wrote:> Hi folks, > > Presently I have got an ageing Samba member server (4.10.16) under > CentOS 7.9, so, I'm setting up a new Samba member server to replace the > old server. I have made an initial installation with Debian Bookworm, as > I want to keep at least Samba fairly up to date.You are now ahead on the OS (bookworm hasn't been released yet).> > It's a small Samba based domain (Louis' packages 4.15.7)And behind with Samba, the latest is 4.17.4 I also cannot recommend using Louis's repo, it hasn't been updated for quite sometime and it might never be updated again. I suggest that you use Debian Bullseye and Samba from backports, this will get you Samba 4.17.4 with about 15> users and a few Windows based production machine controllers. There are > several groups, where almost everybody has got a specific mix of access > permissions to different shares. Mostly, a specific group has got full > permissions on a share, and I want to keep inheritance through Windows > ACLs, unless otherwise set up for specific folders inside that share. > Except for data shares, there are user profiles (using folder > redirection) stored on the old server and they are also going to be > migrated to the new box. The domain is mostly managed with Microsoft's > RSAT tools (users/machines/shares/GPOs). There are no Linux users and > will never be, except administrative user accounts for common Linux > administration tasks.You are a bit wrong there, because you are using the 'rid' idmap backend, all your AD users will be Linux users.> > I want the shares in the new server to have maximum possible Windows > server compatibility to minimize quirks and non standard behavior. So I > kindly ask the list for comments on my configuration.As you have only Windows clients, I suggest you set the permissions from Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs and here: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Because of the above, I would remove a few lines from your smb.conf: acl group control = yes inherit owner = windows and linux inherit acls = yes When creating your shares, only add the lines shown in the links above.
Peter Milesson
2023-Jan-14 17:22 UTC
[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
On 14.01.2023 16:39, Rowland Penny via samba wrote:> > > On 14/01/2023 14:45, Peter Milesson via samba wrote: >> Hi folks, >> >> Presently I have got an ageing Samba member server (4.10.16) under >> CentOS 7.9, so, I'm setting up a new Samba member server to replace >> the old server. I have made an initial installation with Debian >> Bookworm, as I want to keep at least Samba fairly up to date. > > You are now ahead on the OS (bookworm hasn't been released yet). >> >> It's a small Samba based domain (Louis' packages 4.15.7) > > And behind with Samba, the latest is 4.17.4 > I also cannot recommend using Louis's repo, it hasn't been updated for > quite sometime and it might never be updated again. > I suggest that you use Debian Bullseye and Samba from backports, this > will get you Samba 4.17.4 > > ?with about 15 >> users and a few Windows based production machine controllers. There >> are several groups, where almost everybody has got a specific mix of >> access permissions to different shares. Mostly, a specific group has >> got full permissions on a share, and I want to keep inheritance >> through Windows ACLs, unless otherwise set up for specific folders >> inside that share. Except for data shares, there are user profiles >> (using folder redirection) stored on the old server and they are also >> going to be migrated to the new box. The domain is mostly managed >> with Microsoft's RSAT tools (users/machines/shares/GPOs). There are >> no Linux users and will never be, except administrative user accounts >> for common Linux administration tasks. > > You are a bit wrong there, because you are using the 'rid' idmap > backend, all your AD users will be Linux users. > >> >> I want the shares in the new server to have maximum possible Windows >> server compatibility to minimize quirks and non standard behavior. So >> I kindly ask the list for comments on my configuration. > > As you have only Windows clients, I suggest you set the permissions > from Windows, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > and here: > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > Because of the above, I would remove a few lines from your smb.conf: > > ?? acl group control = yes > ?? inherit owner = windows and linux > ?? inherit acls = yes > > When creating your shares, only add the lines shown in the links above. > >Hi Rowland, Thanks for the input. The DC with Louis' packages will be next in line for replacement. I have noticed there have not been any updates for quite a while. I wasn't aware that the rid backend makes all AD users Linux users. It is definitely not clear from the Wiki. Will it pose a problem with compatibility on Windows workstations when accessing the shares? Will there be any limitations, or otherwise crippled behavior? Anyway, there will be no access allowed to the server outside Samba, except for Linux administration tasks. Is there a simple way to migrate to ad backend from rid? Otherwise I see a daunting task before me setting new permissions on everything according to each user's permission mix. So the two lines vfs objects = acl_xattr map acl inherit = yes are actually sufficient for getting the best Windows server compatibility, without the other options? I have never used anything else than the RSAT tools (AD, DNS, GPO) to manage the share permissions on the existing server. I have no intention to use anything else on the new server, unless absolutely required. About setting up the profile share, I would very much try to avoid using roaming user profiles. I have been using folder redirection for quite some years, and it is definitely much more efficient than roaming profiles. There are quite a few users that insist in cluttering their desktops with 10's of GB of files, even if I tell them 500 times, that they shouldn't be surprised that it takes several minutes before they are logged in. With folder redirection that problem is gone. Best regards, Peter