samba - Dec 2023 - Samba share not quite working on Domain Controller

On Sun, 17 Dec 2023 11:50:18 -0500
Mark Foley via samba <samba at lists.samba.org>
wrote:
> 
> Spindles7, Thanks.  my cloning the permissions from sysvol was
> temporary ... just in case, and to verify I could open Users >
> Properties > Security.  I did set the actual Security to what you
> have listed using notes from my previous DC setup.  I didn't put
> those step into my post; as I mentioned, the story wasn't finished
> with that message. 
> 
> The wiki
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> talks about Shares generally, but doesn't specifically mention
> 'Redirected Folders'. Maybe that wiki is sufficient; I didn't
examine
> in detail.
Possibly because there is a separate page for Redirected Folders:

https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections
> 
> One thing I'm wondering about, that wiki has instructions to
"Enable
> Extended ACL Support on a Unix domain member" as follows:
> 
>   "Ideally you have a system that supports NFS4 ACLs. The following
> example is for systems like Linux, where you don't have those kind of
> ACLs. To configure shares using extended access control lists (ACL)
> on a Unix domain member, you must enable the support in the smb.conf
> file. To enable extended ACL support globally, add the following
> settings to the [global] section of your smb.conf file:"
> 
> I do have a "system that supports NFS4 ACLs" 
What filesystem is that ?

As far as I am aware, it is only freebsd and freebsd based distros that
have NFS4 acls as standard.
>so I suppose that means
> I don't have to add the listed settings to smb.conf? The instruction
> say, "To configure shares using ... (ACL) on a Unix domain member,
> you must enable the support in the smb.conf file." I'm assuming
that
> "MUST" admonition applies only if you don't have a system
that
> supports NFS4 ACLs (but could the Linux system even work at all
> without this support?).
If you run Samba as a Unix domain member on Linux, then, unless someone
can point out the filesystem with NFS4 ACLS, you need vfs_acl_xattr
> 
> Also, if one were to add these lines to smb.conf, would that be to
> the domain member, domain controller, both? My guess would be to the
> domain member only.
It is built into a DC, so only a Unix domain member.

Rowland

on Sun Dec 17 12:15:28 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
> On Sun, 17 Dec 2023 11:50:18 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
> > 
> > Spindles7, Thanks.  my cloning the permissions from sysvol was
> > temporary ... just in case, and to verify I could open Users >
> > Properties > Security.  I did set the actual Security to what you
> > have listed using notes from my previous DC setup.  I didn't put
> > those step into my post; as I mentioned, the story wasn't finished
> > with that message. 
> > 
> > The wiki
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > talks about Shares generally, but doesn't specifically mention
> > 'Redirected Folders'. Maybe that wiki is sufficient; I
didn't examine
> > in detail.
>
> Possibly because there is a separate page for Redirected Folders:
>
>
https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections
Great! Thanks. I've made a note of this and will review.
> > 
> > One thing I'm wondering about, that wiki has instructions to
"Enable
> > Extended ACL Support on a Unix domain member" as follows:
> > 
> >   "Ideally you have a system that supports NFS4 ACLs. The
following
> > example is for systems like Linux, where you don't have those kind
of
> > ACLs. To configure shares using extended access control lists (ACL)
> > on a Unix domain member, you must enable the support in the smb.conf
> > file. To enable extended ACL support globally, add the following
> > settings to the [global] section of your smb.conf file:"
> > 
> > I do have a "system that supports NFS4 ACLs" 
>
> What filesystem is that ?
ext4: 

# tune2fs -l /dev/sda3 | grep attr
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype
needs_recovery extent 64bit flex_bg sparse_super large_file huge_file dir_nlink
extra_isize metadata_csum
Default mount options:    user_xattr acl

I believe this means I'm good with NFS4 ACLs. If not, please advise. Doing
'getfacl /redirectedFolders/Users/' does seem to give me the "User
> Properties >
Security" settings I've set up.
> As far as I am aware, it is only freebsd and freebsd based distros that
> have NFS4 acls as standard.
>
> >so I suppose that means
> > I don't have to add the listed settings to smb.conf? The
instruction
> > say, "To configure shares using ... (ACL) on a Unix domain
member,
> > you must enable the support in the smb.conf file." I'm
assuming that
> > "MUST" admonition applies only if you don't have a
system that
> > supports NFS4 ACLs (but could the Linux system even work at all
> > without this support?).
>
> If you run Samba as a Unix domain member on Linux, then, unless someone
> can point out the filesystem with NFS4 ACLS, you need vfs_acl_xattr
>
> > 
> > Also, if one were to add these lines to smb.conf, would that be to
> > the domain member, domain controller, both? My guess would be to the
> > domain member only.
>
> It is built into a DC, so only a Unix domain member.
>
> Rowland
Cool, so if my Linux/Slackware file system have xattr, I'm good, right?