Andrew Bartlett
2024-May-24 08:58 UTC
[Samba] How to set up a simple file server with full ACL support?
On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote:> On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba > wrote: > > After 23 years answering questions here, I figure it might be time > > for > > me to ask one. > > > > As mentioned here: > > https://lists.samba.org/archive/samba-technical/2024-May/138969.html > > I > > am working with a client to improve a Go SMB client library. > > > > They want to manipulate ACLs on SMB, which is a very reasonable > > thing > > to want to do. > > > > What we had a lot of trouble with is simply setting Samba up as a > > standalone fileserver able to accept arbitrary NT ACL changes. > > .. > > However, despite connecting as root (within a docker container), we > > just get ACL errors that seem to be from Samba checking and failing > > against some existing (mapped) presumably ACL. > > > > I don't have the exact error strings to hand (was on the client's > > dev > > box) but I've been asked to provide a working set of steps to get > > arbitrary windows ACLs working on modern standalone Samba server. > > My guess would be docker container issues. > > Try setting up a bog-standard stand-alone fileserver (not on docker) > - no containerization, just using local users and NTLM auth. > > Get ACL then set with smbcacls.Thanks so much. It works with a real VM, and fails on the Docker image. The difference in the returned ACL, being the default created by a root user uploaded with smbclient is: (VM) O:S-1-5-21-453318200-1757343522-2642056891-1000G:S-1-5-21- 453318200-1757343522-2642056891-513D:(A;;FA;;;S-1-5-21-453318200- 1757343522-2642056891-1000)(A;;0x1200a9;;;S-1-5-21-453318200- 1757343522-2642056891-513)(A;;0x1200a9;;;WD) (Docker) O:S-1-5-21-1647377796-1824335532-2881770359-1000G:S-1-22-2- 0D:(A;;FA;;;S-1-5-21-1647377796-1824335532-2881770359- 1000)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;S-1-22-2-0)(A;;FA;;;S-1- 5-21-1647377796-1824335532-2881770359-1000)(A;;0x1200a9;;;WD) Both are Samba master built from source on Debian 12. It is a pity, both because Samba should work better in Docker, and because for a bit of testing a docker container is so much easier to manage. I've become so used to jumping into an ephemral container that setting up a real VM was actually quite a pain. Anyway, between this and my earlier complaint I've decided to put my hand to the file-server and make up a MR that will give better error messages and help us all trace errors better by passing better failure line numbers. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Rowland Penny
2024-May-24 10:26 UTC
[Samba] How to set up a simple file server with full ACL support?
On Fri, 24 May 2024 20:58:02 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote: > > On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba > > wrote: > > > After 23 years answering questions here, I figure it might be time > > > for > > > me to ask one. > > > > > > As mentioned here: > > > https://lists.samba.org/archive/samba-technical/2024-May/138969.html > > > I > > > am working with a client to improve a Go SMB client library. > > > > > > They want to manipulate ACLs on SMB, which is a very reasonable > > > thing > > > to want to do. > > > > > > What we had a lot of trouble with is simply setting Samba up as a > > > standalone fileserver able to accept arbitrary NT ACL changes. > > > .. > > > However, despite connecting as root (within a docker container), > > > we just get ACL errors that seem to be from Samba checking and > > > failing against some existing (mapped) presumably ACL. > > > > > > I don't have the exact error strings to hand (was on the client's > > > dev > > > box) but I've been asked to provide a working set of steps to get > > > arbitrary windows ACLs working on modern standalone Samba server. > > > > My guess would be docker container issues. > > > > Try setting up a bog-standard stand-alone fileserver (not on docker) > > - no containerization, just using local users and NTLM auth. > > > > Get ACL then set with smbcacls. > > Thanks so much. It works with a real VM, and fails on the Docker > image. > > The difference in the returned ACL, being the default created by a > root user uploaded with smbclient is: > > (VM) O:S-1-5-21-453318200-1757343522-2642056891-1000G:S-1-5-21- > 453318200-1757343522-2642056891-513D:(A;;FA;;;S-1-5-21-453318200- > 1757343522-2642056891-1000)(A;;0x1200a9;;;S-1-5-21-453318200- > 1757343522-2642056891-513)(A;;0x1200a9;;;WD)Hi Andrew, just a question, you said that you were setting up a standalone server, so how have you got the RID for Domain Users ? Rowland> > (Docker) O:S-1-5-21-1647377796-1824335532-2881770359-1000G:S-1-22-2- > 0D:(A;;FA;;;S-1-5-21-1647377796-1824335532-2881770359- > 1000)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;S-1-22-2-0)(A;;FA;;;S-1- > 5-21-1647377796-1824335532-2881770359-1000)(A;;0x1200a9;;;WD) > > Both are Samba master built from source on Debian 12. > > It is a pity, both because Samba should work better in Docker, and > because for a bit of testing a docker container is so much easier to > manage. I've become so used to jumping into an ephemral container > that setting up a real VM was actually quite a pain. > > Anyway, between this and my earlier complaint I've decided to put my > hand to the file-server and make up a MR that will give better error > messages and help us all trace errors better by passing better failure > line numbers. > > Andrew Bartlett >