Rowland Penny
2023-Dec-18 08:22 UTC
[Samba] Samba share not quite working on Domain Controller
On Sun, 17 Dec 2023 20:16:23 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> on Sun Dec 17 12:15:28 2023 Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > > On Sun, 17 Dec 2023 11:50:18 -0500 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > Spindles7, Thanks. my cloning the permissions from sysvol was > > > temporary ... just in case, and to verify I could open Users > > > > Properties > Security. I did set the actual Security to what you > > > have listed using notes from my previous DC setup. I didn't put > > > those step into my post; as I mentioned, the story wasn't finished > > > with that message. > > > > > > The wiki > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > talks about Shares generally, but doesn't specifically mention > > > 'Redirected Folders'. Maybe that wiki is sufficient; I didn't > > > examine in detail. > > > > Possibly because there is a separate page for Redirected Folders: > > > > https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections > > Great! Thanks. I've made a note of this and will review. > > > > > > > One thing I'm wondering about, that wiki has instructions to > > > "Enable Extended ACL Support on a Unix domain member" as follows: > > > > > > "Ideally you have a system that supports NFS4 ACLs. The > > > following example is for systems like Linux, where you don't have > > > those kind of ACLs. To configure shares using extended access > > > control lists (ACL) on a Unix domain member, you must enable the > > > support in the smb.conf file. To enable extended ACL support > > > globally, add the following settings to the [global] section of > > > your smb.conf file:" > > > > > > I do have a "system that supports NFS4 ACLs" > > > > What filesystem is that ? > > ext4: > > # tune2fs -l /dev/sda3 | grep attr > Filesystem features: has_journal ext_attr resize_inode dir_index > filetype needs_recovery extent 64bit flex_bg sparse_super large_file > huge_file dir_nlink extra_isize metadata_csum Default mount options: > user_xattr acl > > I believe this means I'm good with NFS4 ACLs. If not, please advise. > Doing 'getfacl /redirectedFolders/Users/' does seem to give me the > "User > Properties > Security" settings I've set up. > > > As far as I am aware, it is only freebsd and freebsd based distros > > that have NFS4 acls as standard. > > > > >so I suppose that means > > > I don't have to add the listed settings to smb.conf? The > > > instruction say, "To configure shares using ... (ACL) on a Unix > > > domain member, you must enable the support in the smb.conf file." > > > I'm assuming that "MUST" admonition applies only if you don't > > > have a system that supports NFS4 ACLs (but could the Linux system > > > even work at all without this support?). > > > > If you run Samba as a Unix domain member on Linux, then, unless > > someone can point out the filesystem with NFS4 ACLS, you need > > vfs_acl_xattr > > > > > > > > Also, if one were to add these lines to smb.conf, would that be to > > > the domain member, domain controller, both? My guess would be to > > > the domain member only. > > > > It is built into a DC, so only a Unix domain member. > > > > Rowland > > Cool, so if my Linux/Slackware file system have xattr, I'm good, > right? > >If, on an ext4 filesystem, you add 'vfs objects = acl_xattr' to your smb.conf, then Samba will use EA's to store the extended attributes. These extended attributes are not NFS4 ACLS and they are used by default on Samba AD DCs, so please do not add the 'vfs objects' line to a DC without ensuring it lists both of the default options. Rowland
Mark Foley
2023-Dec-20 20:48 UTC
[Samba] Samba share not quite working on Domain Controller
On Dec 18 03:22:32 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Sun, 17 Dec 2023 20:16:23 -0500 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > on Sun Dec 17 12:15:28 2023 Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > On Sun, 17 Dec 2023 11:50:18 -0500 > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > > [deleted] > > > > > > > > One thing I'm wondering about, that wiki has instructions to > > > > "Enable Extended ACL Support on a Unix domain member" as follows: > > > > > > > > "Ideally you have a system that supports NFS4 ACLs. The > > > > following example is for systems like Linux, where you don't have > > > > those kind of ACLs. To configure shares using extended access > > > > control lists (ACL) on a Unix domain member, you must enable the > > > > support in the smb.conf file. To enable extended ACL support > > > > globally, add the following settings to the [global] section of > > > > your smb.conf file:" > > > > > > > > I do have a "system that supports NFS4 ACLs" > > > > > > What filesystem is that ? > > > > ext4: > > > > # tune2fs -l /dev/sda3 | grep attr > > Filesystem features: has_journal ext_attr resize_inode dir_index > > filetype needs_recovery extent 64bit flex_bg sparse_super large_file > > huge_file dir_nlink extra_isize metadata_csum Default mount options: > > user_xattr acl > > > > I believe this means I'm good with NFS4 ACLs. If not, please advise. > > Doing 'getfacl /redirectedFolders/Users/' does seem to give me the > > "User > Properties > Security" settings I've set up. > > > > > As far as I am aware, it is only freebsd and freebsd based distros > > > that have NFS4 acls as standard. > > > > > > >so I suppose that means > > > > I don't have to add the listed settings to smb.conf? The > > > > instruction say, "To configure shares using ... (ACL) on a Unix > > > > domain member, you must enable the support in the smb.conf file." > > > > I'm assuming that "MUST" admonition applies only if you don't > > > > have a system that supports NFS4 ACLs (but could the Linux system > > > > even work at all without this support?). > > > > > > If you run Samba as a Unix domain member on Linux, then, unless > > > someone can point out the filesystem with NFS4 ACLS, you need > > > vfs_acl_xattr > > > > > > > > > > > Also, if one were to add these lines to smb.conf, would that be to > > > > the domain member, domain controller, both? My guess would be to > > > > the domain member only. > > > > > > It is built into a DC, so only a Unix domain member. > > > > > > Rowland > > > > Cool, so if my Linux/Slackware file system have xattr, I'm good, > > right? > > > > > > If, on an ext4 filesystem, you add 'vfs objects = acl_xattr' to your > smb.conf, then Samba will use EA's to store the extended attributes. > These extended attributes are not NFS4 ACLS and they are used by > default on Samba AD DCs, so please do not add the 'vfs objects' line to > a DC without ensuring it lists both of the default options. > > RowlandI'm following up on this because I'm not sure I understand. tune2fs on the DC shows, ext_attr; Default mount options: user_xattr, acl, although fstab does not have 'acl' as an option. So should I add to my DC smb.conf (per wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)? vfs objects = acl_xattr map acl inherit = yes # the next line is only required on Samba versions less than 4.9.0 store dos attributes = yes>From the preceeding comments, I think this is NOT for the DC.When I add a Linux domain member, I do/do-not need to add these to the domain member's smb.conf? What goes wrong if I don't? If I do add these lines, so I also have to add 'acl' as a fstab mount option? Thanks --Mark