Jeremy Allison
2024-May-23 04:05 UTC
[Samba] How to set up a simple file server with full ACL support?
On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba wrote:>After 23 years answering questions here, I figure it might be time for >me to ask one. > >As mentioned here: >https://lists.samba.org/archive/samba-technical/2024-May/138969.html I >am working with a client to improve a Go SMB client library. > >They want to manipulate ACLs on SMB, which is a very reasonable thing >to want to do. > >What we had a lot of trouble with is simply setting Samba up as a >standalone fileserver able to accept arbitrary NT ACL changes. > .. >However, despite connecting as root (within a docker container), we >just get ACL errors that seem to be from Samba checking and failing >against some existing (mapped) presumably ACL. > >I don't have the exact error strings to hand (was on the client's dev >box) but I've been asked to provide a working set of steps to get >arbitrary windows ACLs working on modern standalone Samba server.My guess would be docker container issues. Try setting up a bog-standard stand-alone fileserver (not on docker) - no containerization, just using local users and NTLM auth. Get ACL then set with smbcacls. That should easily work, and the network trace should show you what is being done. If that fails, get a debug level 10 and start digging for the returned error message. This *should* be very simple. It works for me every day.
Luis Peromarta
2024-May-23 05:35 UTC
[Samba] How to set up a simple file server with full ACL support?
In LXC containers for ACLs to work they can?t be ?unprivileged?. LP On 23 May 2024 at 05:06 +0100, Jeremy Allison via samba <samba at lists.samba.org>, wrote:> On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba wrote: > > After 23 years answering questions here, I figure it might be time for > > me to ask one. > > > > As mentioned here: > > https://lists.samba.org/archive/samba-technical/2024-May/138969.html I > > am working with a client to improve a Go SMB client library. > > > > They want to manipulate ACLs on SMB, which is a very reasonable thing > > to want to do. > > > > What we had a lot of trouble with is simply setting Samba up as a > > standalone fileserver able to accept arbitrary NT ACL changes. > > .. > > However, despite connecting as root (within a docker container), we > > just get ACL errors that seem to be from Samba checking and failing > > against some existing (mapped) presumably ACL. > > > > I don't have the exact error strings to hand (was on the client's dev > > box) but I've been asked to provide a working set of steps to get > > arbitrary windows ACLs working on modern standalone Samba server. > > My guess would be docker container issues. > > Try setting up a bog-standard stand-alone fileserver (not on docker) > - no containerization, just using local users and NTLM auth. > > Get ACL then set with smbcacls. > > That should easily work, and the network trace should show > you what is being done. > > If that fails, get a debug level 10 and start digging > for the returned error message. > > This *should* be very simple. It works for me every day. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2024-May-24 08:58 UTC
[Samba] How to set up a simple file server with full ACL support?
On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote:> On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba > wrote: > > After 23 years answering questions here, I figure it might be time > > for > > me to ask one. > > > > As mentioned here: > > https://lists.samba.org/archive/samba-technical/2024-May/138969.html > > I > > am working with a client to improve a Go SMB client library. > > > > They want to manipulate ACLs on SMB, which is a very reasonable > > thing > > to want to do. > > > > What we had a lot of trouble with is simply setting Samba up as a > > standalone fileserver able to accept arbitrary NT ACL changes. > > .. > > However, despite connecting as root (within a docker container), we > > just get ACL errors that seem to be from Samba checking and failing > > against some existing (mapped) presumably ACL. > > > > I don't have the exact error strings to hand (was on the client's > > dev > > box) but I've been asked to provide a working set of steps to get > > arbitrary windows ACLs working on modern standalone Samba server. > > My guess would be docker container issues. > > Try setting up a bog-standard stand-alone fileserver (not on docker) > - no containerization, just using local users and NTLM auth. > > Get ACL then set with smbcacls.Thanks so much. It works with a real VM, and fails on the Docker image. The difference in the returned ACL, being the default created by a root user uploaded with smbclient is: (VM) O:S-1-5-21-453318200-1757343522-2642056891-1000G:S-1-5-21- 453318200-1757343522-2642056891-513D:(A;;FA;;;S-1-5-21-453318200- 1757343522-2642056891-1000)(A;;0x1200a9;;;S-1-5-21-453318200- 1757343522-2642056891-513)(A;;0x1200a9;;;WD) (Docker) O:S-1-5-21-1647377796-1824335532-2881770359-1000G:S-1-22-2- 0D:(A;;FA;;;S-1-5-21-1647377796-1824335532-2881770359- 1000)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;S-1-22-2-0)(A;;FA;;;S-1- 5-21-1647377796-1824335532-2881770359-1000)(A;;0x1200a9;;;WD) Both are Samba master built from source on Debian 12. It is a pity, both because Samba should work better in Docker, and because for a bit of testing a docker container is so much easier to manage. I've become so used to jumping into an ephemral container that setting up a real VM was actually quite a pain. Anyway, between this and my earlier complaint I've decided to put my hand to the file-server and make up a MR that will give better error messages and help us all trace errors better by passing better failure line numbers. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Possibly Parallel Threads
- How to set up a simple file server with full ACL support?
- How to set up a simple file server with full ACL support?
- How to set up a simple file server with full ACL support?
- How to set up a simple file server with full ACL support?
- CfP VHPC20: HPC Containers-Kubernetes