Borut Rozman
2023-Jul-28 13:27 UTC
[Samba] Migration of files with Windows ACL's to Samba server
Hi Rowland, Sorry for the vague reply, will add more info: FS is ext4 over NFS4.0, so from the storage server ls -lad gives me drwxrws--- 2 privuser serviceaccounts 4096 Jul 28 14:01 testg/ testparam -s oad smb config files from /etc/samba/smb.conf lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] bind interfaces only = Yes dns proxy = No domain master = No hostname lookups = Yes interfaces = lo ens19 keepalive = 30 load printers = No local master = No log file = /var/log/samba/log.%m max log size = 1000 min domain uid = 0 netbios name = STORE-SMB1 realm = DOMAIN.EXAMPLE.COM security = ADS server string = store-smb1 Samba Server username map = /etc/samba/user.map winbind nss info = rfc2307 workgroup = DOMAIN rpc_server:netlogon = disabled idmap config domain:unix_primary_group = yes idmap config domain:unix_nss_info = yes idmap config domain:range = 10000-999999 idmap config domain:schema_mode = rfc2307 idmap config domain:backend = ad idmap config * : range = 3000-4999 idmap config * : backend = tdb hosts allow = 192.168.72.0/255.255.255.0 hosts deny = 0.0.0.0/0 include = /etc/samba/shares.conf inherit acls = Yes inherit permissions = Yes map acl inherit = Yes vfs objects = acl_xattr [testg] comment = Ocms2019 testing share for ACL testing purposes map archive = No path = /storage/testg read only = No So /storage is a NFS mount from a second server. server2:/storage/ 201T 40T 153T 21% /storage regards Borut On Fri, 2023-07-28 at 14:12 +0100, Rowland Penny via samba wrote:> > > On 28/07/2023 13:50, Borut Rozman via samba wrote: > > Hi Nick, > > Sorry for the late reply, been busy > > with some other issues, and this was not such a priority > > > > Basically I have > > > > ???????? vfs objects = acl_xattr > > ???????? inherit acls = yes > > ???????? inherit permissions = yes > > ???????? map acl inherit = yes > > > > > > in my samba global config and shares are normal shares: > > > > [testg] > > ???????? comment = privuser testing share for ACL testing purposes > > ???????? path = /storage/testg > > ???????? browseable = yes > > ???????? read only = no > > ???????? inherit acls = yes > > ???????? inherit permissions = yes > > ???????? map archive = no > > > > But when I want as this user - privuser to change any > > permissions/acls/anything on any file in that share it gives me: > > Unable > > to save permission changes to file, The request is not supported. > > > > So looks like I am missing something? > > > > Regards > > Borut > > > > Hi, Whilst you have given us some info, you do not seem to have given > us > much. Just about all you have told is that you are running Samba > 4.17.9 > On Debian 12 and that you are running it as a server, but what sort > of > server ? > > Would it be possible for you to post the output of 'testparm -s' ? > Sanitised if you must. > Also the output of 'ls -lad /storage/testg' > > It will probably also help if you can tell us what the filesystem is. > > Rowland > >
Rowland Penny
2023-Jul-28 14:08 UTC
[Samba] Migration of files with Windows ACL's to Samba server
On 28/07/2023 14:27, Borut Rozman wrote:> Hi Rowland, > > Sorry for the vague reply, will add more info: > FS is ext4 over NFS4.0, so from the storage server ls -lad gives me > > drwxrws--- 2 privuser serviceaccounts 4096 Jul 28 14:01 testg/ > > testparam -s > > oad smb config files from /etc/samba/smb.conf > lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is > deprecated > Loaded services file OK. > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > fallback) > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > bind interfaces only = Yes > dns proxy = No > domain master = No > hostname lookups = Yes > interfaces = lo ens19 > keepalive = 30 > load printers = No > local master = No > log file = /var/log/samba/log.%m > max log size = 1000 > min domain uid = 0 > netbios name = STORE-SMB1 > realm = DOMAIN.EXAMPLE.COM > security = ADS > server string = store-smb1 Samba Server > username map = /etc/samba/user.map > winbind nss info = rfc2307 > workgroup = DOMAIN > rpc_server:netlogon = disabled > idmap config domain:unix_primary_group = yes > idmap config domain:unix_nss_info = yes > idmap config domain:range = 10000-999999 > idmap config domain:schema_mode = rfc2307 > idmap config domain:backend = ad > idmap config * : range = 3000-4999 > idmap config * : backend = tdb > hosts allow = 192.168.72.0/255.255.255.0 > hosts deny = 0.0.0.0/0 > include = /etc/samba/shares.conf > inherit acls = Yes > inherit permissions = Yes > map acl inherit = Yes > vfs objects = acl_xattr > [testg] > comment = Ocms2019 testing share for ACL testing purposes > map archive = No > path = /storage/testg > read only = NoThere isn't a great deal wrong with the smb.conf.> > So /storage is a NFS mount from a second server. > > server2:/storage/ 201T 40T 153T 21% /storage >That is very probably your problem, sorry, but sharing an NFS mount with Samba is never a good idea. Samba doesn't really use the same ACLs as NFS. Rowland
Ralph Boehme
2023-Jul-28 14:13 UTC
[Samba] Migration of files with Windows ACL's to Samba server
On 7/28/23 15:27, Borut Rozman via samba wrote:> So /storage is a NFS mount from a second server. > > server2:/storage/ 201T 40T 153T 21% /storagewell, resharing NFS is always asking for problems... :) It looks like when using acl_xattr where Samba will store the NT ACLs in filesystem extended attributes, your NFS mount doesn't support setting xattrs. Iirc xattrs are an optional feature of the NFS4 protocol, so either your client or server might not implement it or it's not configured correctly. As an alternative, you could also try to use vfs_nfs4acl_xattr with nfs4acl_xattr:nfs. It's been some time since I implemented this, but that should be the correct setting for your usecase. :) -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/ SAMBA+ Samba packages https://samba.plus/ SAMBA+ AIX Webinar https://samba.plus/samba-webinars -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230728/9417b163/OpenPGP_signature.sig>