samba - Dec 2023 - Samba share not quite working on Domain Controller

On Wed, 20 Dec 2023 15:48:43 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> I'm following up on this because I'm not sure I understand. tune2fs
> on the DC shows, ext_attr; Default mount options: user_xattr, acl,
> although fstab does not have 'acl' as an option.
> 
> So should I add to my DC smb.conf (per
> wiki
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)?
> 
> vfs objects = acl_xattr
> map acl inherit = yes
> # the next line is only required on Samba versions less than 4.9.0
> store dos attributes = yes
> 
> From the preceeding comments, I think this is NOT for the DC.
Well, if you read the big orange box under your wiki page extract, you
will find this:

On a Samba Active Directory (AD) domain controller (DC), extended ACL
support is automatically enabled globally. You must not enable the
support manually.

Also, your extract is under the heading:

Enable Extended ACL Support on a Unix domain member

So what do you think ???
> 
> When I add a Linux domain member, I do/do-not need to add these to
> the domain member's smb.conf?
If you want to use extended ACLs, then you need to add them.
> What goes wrong if I don't?
You can only use the Unix standard acls (ugo).
> If I do add
> these lines, so I also have to add 'acl' as a fstab mount option?
No, 'acl' is one of the ext4 default options.

Rowland

on Wed Dec 20 16:32:40 2023 Rowland Penny via samba <samba at
lists.samba.org>
>
> On Wed, 20 Dec 2023 15:48:43 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > I'm following up on this because I'm not sure I understand.
tune2fs
> > on the DC shows, ext_attr; Default mount options: user_xattr, acl,
> > although fstab does not have 'acl' as an option.
> > 
> > So should I add to my DC smb.conf (per
> > wiki
> >
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)?
> > 
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > # the next line is only required on Samba versions less than 4.9.0
> > store dos attributes = yes
> > 
> > From the preceeding comments, I think this is NOT for the DC.
>
> Well, if you read the big orange box under your wiki page extract, you
> will find this:
>
> On a Samba Active Directory (AD) domain controller (DC), extended ACL
> support is automatically enabled globally. You must not enable the
> support manually.
As I suspected, but I wanted to be sure. One can't be too careful setting up
these DCs! As I said in another post, "sorry to be an idiot".
> Also, your extract is under the heading:
>
> Enable Extended ACL Support on a Unix domain member
>
> So what do you think ???
>
> > 
> > When I add a Linux domain member, I do/do-not need to add these to
> > the domain member's smb.conf?
>
> If you want to use extended ACLs, then you need to add them.
At the risk of continuing to beat this long-dead horse. Why would I want to use
"extended ACL"? What do they buy me over "Unix Standard
acls"? You're comment
below parenthesises "(ugo)" which I take to mean the user-group-other
rwx
settings on plain vanilla Unix. The "extended ACLs", I presume, are
designated
by the '+', viewable with getfacl, as in:

drwxrwx---+  6 BUILTIN\administrators users 4096 2019-11-12 18:11 Administrator
          ^

So, in you opinion, is there any reason I would need these on a Linux domain
member? If not, I'd rather not mess with something unnecessary/extra. If my
linux member hosts a Samba share for Windows users to map, would that
necessitate using the extended ACLs?

I know I can set extended ACLs for my own unix purposes to give special
permissions to certain users. I'm asking here if there is a need/benefit
with
respect to a Domain Member, or samba share specifically. If not, I'll forget
about it.

Thanks --Mark
> > What goes wrong if I don't?
>
> You can only use the Unix standard acls (ugo).
>
> > If I do add
> > these lines, so I also have to add 'acl' as a fstab mount
option?
>
> No, 'acl' is one of the ext4 default options.
>
> Rowland