samba - May 2024 - How to set up a simple file server with full ACL support?

On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote:
> On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba
> wrote:
> > After 23 years answering questions here, I figure it might be time
> > for
> > me to ask one.
> > 
> > As mentioned here:
> > https://lists.samba.org/archive/samba-technical/2024-May/138969.html
> >  I
> > am working with a client to improve a Go SMB client library.
> > 
> > They want to manipulate ACLs on SMB, which is a very reasonable
> > thing
> > to want to do.
> > 
> > What we had a lot of trouble with is simply setting Samba up as a
> > standalone fileserver able to accept arbitrary NT ACL changes.
> > ..
> > However, despite connecting as root (within a docker container), we
> > just get ACL errors that seem to be from Samba checking and failing
> > against some existing (mapped) presumably ACL.
> > 
> > I don't have the exact error strings to hand (was on the
client's
> > dev
> > box) but I've been asked to provide a working set of steps to get
> > arbitrary windows ACLs working on modern standalone Samba server.
> 
> My guess would be docker container issues.
> 
> Try setting up a bog-standard stand-alone fileserver (not on docker)
> - no containerization, just using local users and NTLM auth.
> 
> Get ACL then set with smbcacls.
Thanks so much.  It works with a real VM, and fails on the Docker
image.

The difference in the returned ACL, being the default created by a root
user uploaded with smbclient is:

(VM) O:S-1-5-21-453318200-1757343522-2642056891-1000G:S-1-5-21-
453318200-1757343522-2642056891-513D:(A;;FA;;;S-1-5-21-453318200-
1757343522-2642056891-1000)(A;;0x1200a9;;;S-1-5-21-453318200-
1757343522-2642056891-513)(A;;0x1200a9;;;WD)

(Docker) O:S-1-5-21-1647377796-1824335532-2881770359-1000G:S-1-22-2-
0D:(A;;FA;;;S-1-5-21-1647377796-1824335532-2881770359-
1000)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;S-1-22-2-0)(A;;FA;;;S-1-
5-21-1647377796-1824335532-2881770359-1000)(A;;0x1200a9;;;WD)

Both are Samba master built from source on Debian 12.

It is a pity, both because Samba should work better in Docker, and
because for a bit of testing a docker container is so much easier to
manage.  I've become so used to jumping into an ephemral container that
setting up a real VM was actually quite a pain.

Anyway, between this and my earlier complaint I've decided to put my
hand to the file-server and make up a MR that will give better error
messages and help us all trace errors better by passing better failure
line numbers.  

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

On Fri, 24 May 2024 20:58:02 +1200
Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote:
> > On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba
> > wrote:
> > > After 23 years answering questions here, I figure it might be
time
> > > for
> > > me to ask one.
> > > 
> > > As mentioned here:
> > >
https://lists.samba.org/archive/samba-technical/2024-May/138969.html
> > >  I
> > > am working with a client to improve a Go SMB client library.
> > > 
> > > They want to manipulate ACLs on SMB, which is a very reasonable
> > > thing
> > > to want to do.
> > > 
> > > What we had a lot of trouble with is simply setting Samba up as a
> > > standalone fileserver able to accept arbitrary NT ACL changes.
> > > ..
> > > However, despite connecting as root (within a docker container),
> > > we just get ACL errors that seem to be from Samba checking and
> > > failing against some existing (mapped) presumably ACL.
> > > 
> > > I don't have the exact error strings to hand (was on the
client's
> > > dev
> > > box) but I've been asked to provide a working set of steps to
get
> > > arbitrary windows ACLs working on modern standalone Samba server.
> > 
> > My guess would be docker container issues.
> > 
> > Try setting up a bog-standard stand-alone fileserver (not on docker)
> > - no containerization, just using local users and NTLM auth.
> > 
> > Get ACL then set with smbcacls.
> 
> Thanks so much.  It works with a real VM, and fails on the Docker
> image.
> 
> The difference in the returned ACL, being the default created by a
> root user uploaded with smbclient is:
> 
> (VM) O:S-1-5-21-453318200-1757343522-2642056891-1000G:S-1-5-21-
> 453318200-1757343522-2642056891-513D:(A;;FA;;;S-1-5-21-453318200-
> 1757343522-2642056891-1000)(A;;0x1200a9;;;S-1-5-21-453318200-
> 1757343522-2642056891-513)(A;;0x1200a9;;;WD)
Hi Andrew, just a question, you said that you were setting up a
standalone server, so how have you got the RID for Domain Users ?

Rowland
> 
> (Docker) O:S-1-5-21-1647377796-1824335532-2881770359-1000G:S-1-22-2-
> 0D:(A;;FA;;;S-1-5-21-1647377796-1824335532-2881770359-
> 1000)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;S-1-22-2-0)(A;;FA;;;S-1-
> 5-21-1647377796-1824335532-2881770359-1000)(A;;0x1200a9;;;WD)
> 
> Both are Samba master built from source on Debian 12.
> 
> It is a pity, both because Samba should work better in Docker, and
> because for a bit of testing a docker container is so much easier to
> manage.  I've become so used to jumping into an ephemral container
> that setting up a real VM was actually quite a pain.
> 
> Anyway, between this and my earlier complaint I've decided to put my
> hand to the file-server and make up a MR that will give better error
> messages and help us all trace errors better by passing better failure
> line numbers.  
> 
> Andrew Bartlett
>