search for: nfs_aces

...the global or a share section? Thanks for the hint! After putting it in the global options the create mode mimics the parent directory as one would expect from " inherit permissions = yes inherit acls = yes " If possible it would be less dangerous (securitywise) not to have fruit:nfs_aces setting interact with 'inherit permissions' and 'inherit acls'. Or at least the default setting of nfs_aces should not interact with a big warning/explanation of how changing to nfs_aces = yes will interact. Thanks again! Chad.

...ng it in the global options the create >> mode mimics the parent directory as one would expect from >> " >> inherit permissions = yes >> inherit acls = yes >> " >> >> If possible it would be less dangerous (securitywise) not to have >> fruit:nfs_aces setting interact with 'inherit permissions' and 'inherit >> acls'. >> >> Or at least the default setting of nfs_aces should not interact with a big >> warning/explanation of how changing to nfs_aces = yes will interact. > > well, the thing is, inheritan...

...gt; the directory browsing performance of Mac clients. After enabling it some of > our tests began failing due to an "The permissions on x are incorrectly > ordered" error on Windows. Which tests? > I chased it down to a behavior in vfs_fruit that is enabled by the > fruit:nfs_aces config option. The manpage section for this option > says: > > > Whether support for querying and modifying the UNIX mode of > > directory entries via NFS ACEs is enabled, default yes. > > I took a brief look at the module's source and sure enough it looks to be >...

> well, the thing is, inheritance works as designed with fruit:nfs_aces=yes, it's > just that the client changes permissions *after* the fact... How icky. Is it b/c mac's don't understand the Linux (posix?) extended acl? I suppose Samba cannot tell when the client is changing the permissions as a misunderstanding versus purposefully? E.g. is the p...

...the "other" mode is 'r--' (file) or 'r-x' (directory) even though the parent directory is '---'. On Windows, Linux, and Macintosh with vfs_fruit not loaded all create files and directories with mode for other set to '---'. I've tried 'fruit:nfs_aces = no' with no change. Any ideas? Chad. Samba version: 4.2.10+dfsg-0+deb8u3 # Global parameters [global] workgroup = PHYSICS realm = PHYSICS.WISC.EDU server string = %h server security = ADS map to guest = Bad User kerberos method = sec...

...reate > >>mode mimics the parent directory as one would expect from > >>" > >>inherit permissions = yes > >>inherit acls = yes > >>" > >> > >>If possible it would be less dangerous (securitywise) not to have > >>fruit:nfs_aces setting interact with 'inherit permissions' and 'inherit > >>acls'. > >> > >>Or at least the default setting of nfs_aces should not interact with a big > >>warning/explanation of how changing to nfs_aces = yes will interact. > > > >wel...

...ons = No > wide links = Yes > use sendfile = Yes > host msdfs = No > > # ease upgrades from Samba 3.6 > acl allow execute always = Yes > # permit NTLMv1 authentication > ntlm auth = Yes > > # default global fruit settings: > #fruit:aapl = Yes > #fruit:nfs_aces = Yes > fruit:nfs_aces = No > #fruit:copyfile = No > #fruit:model = MacSamba > > # hook for user-defined samba config > include = /boot/config/smb-extra.conf > > # auto-configured shares > include = /etc/samba/smb-shares.conf > > smb-names.conf (clean inst...

...it:metadata = stream That seems to have made no difference. I then changed the create mode in a share I was testing on from: create mode = 0660 to: force create mode = 0760 That had the effect of instead of making files --rwx--+ they’d come up as -r--rwxr--+. What am I missing here? Would fruit:nfs_aces = no be the way forward? Is the order I list my vfs objects in problematic? Cheers, tack

...# Pardon ? 3.6 Died 8 years ago > acl allow execute always = Yes > # permit NTLMv1 authentication > ntlm auth = Yes # Why ? > > # default global fruit settings: # Non of which will have any affect because non of the apple vfs objects are turned on. > #fruit:aapl = Yes > #fruit:nfs_aces = Yes > fruit:nfs_aces = No > #fruit:copyfile = No > #fruit:model = MacSamba > > It is for a standalone server. > > Can you please join it to the domain and then post the new smb.conf , I > am looking to see what the default idmap backend is for the domain. > > Rowland...

...miliar with the Apple environment, so I'm unsure if the following settings are necessary for my wife to read and write in|/mnt/shared/partage_de_fichiers|: easupport =yes vfsobjects = catia fruit streams_xattr fruit:delete_empty_adfiles =yes fruit:metadata = stream fruit:model = MacSamba fruit:nfs_aces =no fruit:posix_rename =yes fruit:veto_appledouble =no fruit:wipe_intentionally_left_blank_rfork =yes I appreciate your help in resolving this issue! Best regards, Jonathan Le 10/16/2024 ? 12:51 PM, Rowland Penny via samba a ?crit?: > On Tue, 15 Oct 2024 21:58:40 +0200 > Jonathan Szalave...

...write size = 0 # misc. invalid users = root unix extensions = No wide links = Yes use sendfile = Yes host msdfs = No # ease upgrades from Samba 3.6 acl allow execute always = Yes # permit NTLMv1 authentication ntlm auth = Yes # default global fruit settings: #fruit:aapl = Yes #fruit:nfs_aces = Yes fruit:nfs_aces = No #fruit:copyfile = No #fruit:model = MacSamba # hook for user-defined samba config include = /boot/config/smb-extra.conf # auto-configured shares include = /etc/samba/smb-shares.conf smb-names.conf (clean install) # Generated names netbios name = Tower server s...

...cap name = /dev/null realm = TESTLAB.COM security = ADS server string = Media server show add printer wizard = No smb1 unix extensions = No winbind use default domain = Yes workgroup = TESTLAB idmap config testlab : range = 10000-999999 idmap config testlab : backend = rid fruit:nfs_aces = No idmap config * : range = 3000-7999 idmap config * : backend = tdb hide dot files = No include = /etc/samba/smb-shares.conf invalid users = root map acl inherit = Yes use sendfile = Yes vfs objects = acl_xattr wide links = Yes [PrivateShare] path = /mnt/user/PrivateShare...

...770 > ?? force group = sharedaccess > ?? force create mode = 0660 > ?? min protocol = SMB2 > ?? ea support = yes > ?? vfs objects = catia fruit streams_xattr > ?? fruit:delete_empty_adfiles = yes > ?? fruit:metadata = stream > ?? fruit:model = MacSamba > ?? fruit:nfs_aces = no > ?? fruit:posix_rename = yes > ?? fruit:veto_appledouble = no > ?? fruit:wipe_intentionally_left_blank_rfork = yes > > ``` Quite a lot of those parameters are set to the defaults and others should be in 'global'. > > > Despite these settings, files copi...

...o usershare max shares = 0 unix extensions = no wide links = no encrypt passwords = true guest account = nobody logon path = hide special files = no printcap name = cups use sendfile = true vfs object = catia fruit streams_xattr acl_xattr fruit:nfs_aces = no reset on zero vc = yes #======================= Share Definitions ======================= [test-volume] path = /daten/pv50/test-volume valid users = @support admin users = @support read only = no inherit permissions = yes inherit acls = yes map...

...ide links = no >> encrypt passwords = true >> guest account = nobody >> logon path = >> hide special files = no >> printcap name = cups >> use sendfile = true >> vfs object = catia fruit streams_xattr acl_xattr >> fruit:nfs_aces = no >> reset on zero vc = yes >> >> #======================= Share Definitions ======================= >> >> [test-volume] >> path = /daten/pv50/test-volume >> valid users = @support >> admin users = @support >> read onl...

...?? create mask = 0660 ?? directory mask = 0770 ?? force group = sharedaccess ?? force create mode = 0660 ?? min protocol = SMB2 ?? ea support = yes ?? vfs objects = catia fruit streams_xattr ?? fruit:delete_empty_adfiles = yes ?? fruit:metadata = stream ?? fruit:model = MacSamba ?? fruit:nfs_aces = no ?? fruit:posix_rename = yes ?? fruit:veto_appledouble = no ?? fruit:wipe_intentionally_left_blank_rfork = yes ``` Despite these settings, files copied from Windows are created with permissions |rw-------|, which restricts access to only the file owner. I have a |umask| set to |0002| in...

...r -l. Nothing is there. > As expected, afair the client doesn't support modifyint ACLs on an smb > mount. Have you verified this works against an Apple SMB server? I didn’t know that. I confirm client can’t do this with Apple SMB server either. Thank you for info. >> fruit:nfs_aces = yes >> fruit:veto_appledouble = yes > > fwiw, I'd remove anything that is the default. Are there any possible problems with this approach apart from convention/cleaner config? Our Samba admin prefers it this way. > man setfattr admin-apple # touch test.txt admin-apple...

...og.%m map to guest = Bad User max log size = 100000 panic action = /usr/share/samba/panic-action %d realm = YOUR.KERB.REALM security = USER server signing = required server string = %h server workgroup = MYWORKGR fruit:nfs_aces = no idmap config * : backend = tdb -------------------------------------------- sssd.conf [sssd] config_file_version = 2 services = nss, pam debug_level = 7 domains = YOUR.KERB.REALM [nss] filter_groups = root filter_users = root debug_level = 7 [pam] debug_level = 7 [domain/YOUR.KERB....

...alm = TESTLAB.COM > security = ADS > server min protocol = SMB2 > server multi channel support = No > server string = Media server > show add printer wizard = No > smb1 unix extensions = No > winbind use default domain = Yes > workgroup = TESTLAB > fruit:nfs_aces = No > idmap config * : range = 10000-4000000000 > idmap config * : backend = hash That is what I was looking for, the default 'idmap config' is set to 'hash', which shouldn't be used. Especially as it says 'idmap_hash - DO NOT USE THIS BACKEND' at the top of...

...e know > if I'm missing something. > > Best regards, > > Jonathan > Sorry about that, I missed that out, try this one: [global] ?? workgroup = WORKGROUP ?? vfs objects = catia fruit streams_xattr ?? fruit:delete_empty_adfiles = yes ?? fruit:metadata = stream ?? fruit:nfs_aces = no ?? fruit:veto_appledouble = no ?? fruit:wipe_intentionally_left_blank_rfork = yes [NAS] ?? comment = RaspberryPi ?? path = /mnt/shared ?? read only = no ?? create mask = 0600 ?? directory mask = 0700 [DatabaseShare] ?? comment = Database File Share ?? path = /mnt/shared/partage_de_f...