similar to: Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients

Thanks for the first reply, Jeremy. What about the (future) implementation of RichACL? Will there be any native Linux Client support along with the SMB2/SMB3 protocol? I know, there is a native implemenation for RichACLs in ext4 FS. Unfortunately, smbcals is not a native Linux ACL Tool and has a very unhandy syntax. I just tested some days ago. ;-) I am looking for a solution that allows the

Hi Jeremy, Hi Steve, Hi Ronnie, thanks for your replies and the profound discussion. I think, it's best to demonstrate my problem case along an real world example: The following log of a console sesssion shows how I am doing the mounts on behalf Linux Kernel CIFS-FS Module on the client side against a Samba 4.5 file server (both running on Debian Stretch 9.8) via SMB/CIFS resp. SMB2 protocol:

On Tue, Feb 26, 2019 at 09:03:41AM -0800, Jeremy Allison via samba wrote: > > Check out the latest cifsfs code. I think Steve > and Aurelian and Ronnie added an ioctl for this. > > I'm here at Vault in Boston with Steve, I'll ask > him :-). Steve says there are two utilities in Linux, getcifsacl and setcifsacl that use a custom ioctl inside the Linux cifsfs kernel

ACL management can be done for SMB2/SMB3 ACLs with two common tools depending on your preference. smbcacls (somewhat similar to using cacls.exe or icacls.exe in Windows but specifying the UNC name rather than a local path name). smbcacls sets up and tears down a network connection each time it is run and uses Samba user space code. or setcifsacl/getcifsacl (which calls cifs.ko to access the

Dear samba folks, I have a special question regarding the simultaneous operation of nscd and winbindd on the same host: We are running in a Samba file server setup where the nsswitch.conf looks like this: passwd: files ldap group: files ldap shadow: files ldap hosts: files dns wins networks: files protocols: db files services: db files

Dear Jeremy, thanks for your instant reply. :-) Along with Linux native getfacl/fetfacl, I also tested getcifsacl/setcifsacl (for sure thoroughly ;-)). Unfortunately, these CIFS client tools seem to have been designed as part of the "old" CIFS Unix Extensions, working only for SMB/CIFS mounts, and are not supposed to work with SMB2/SMB3 mounts, as I guess. During my tests, the

Hi all, I am testing different setups for Samba home share mounts via the CIFS protocol on Linux clients with and without Keberos security (both krb5 and krb5i). I am experiencing some strange behaviour in case of Kerberos authentication: In case of mounts (by root or the user itself) without Kerberos security (only NTLMv2 authentication), local root and the owning user on the Linux client

Could you see if anything useful in the logs indicating why the ACL was not returned? Instructions are at: https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging (it is easier for newer kernels due to dynamic tracing e.g. "trace-cmd record -e cifs" but even with these older kernels it should be enough information in the dmesg logs - if not a wireshark trace

Hi all, are there any non-commercial solutions (apart from solutions like Dell EMC, IBM and NetApp) around that allow to simultaneously access the same file system via NFSv4 and Samba exports in a (nearly) non-conflicting manner, especially w.r.t. to NFSv4/Windows ACL incompatibilities? Best Sebatian ____________________ Sebastian Kraus Team IT am Institut f?r Chemie Geb?ude C, Stra?e des 17.

FreeNAS / FreeBSD have native NFSv4 ACLs. They do however lack kernel oplock support so there are perhaps some caveats in that regard. On Thu, Jul 2, 2020 at 3:07 PM Strahil Nikolov via samba < samba at lists.samba.org> wrote: > Hi Kraus, > > I know that Gluster can be exported over NFS-Ganesha (supports v4.X), > Samba (protocol 1.0 in order to get 'real'

On Tue, Feb 26, 2019 at 04:51:21PM +0000, Kraus, Sebastian via samba wrote: > Thanks for the first reply, Jeremy. > What about the (future) implementation of RichACL? Windows ACLs map quite well into RichACLs. Unfortunately Christolph Hellwig has peristently blocked any merge of the RichACLs code into the Linux kernel. If you use ZFS then you can use ZFSACLs which are quivalent. >

On Tue, Feb 26, 2019 at 03:05:12PM +0000, Kraus, Sebastian via samba wrote: > Dear all, > what is about the support for POSIX ACL in Samba protocol implementation of SMB2 and SMB3? > From what I extracted from SNIA and SambaXP developer conference talks and as well as the official Samba Wiki, > support for POSIX ACL in SMB2 and SMB3 has been completely abandonned. Am I right? Yes.

In current kernels we have the new IOCTL / QueryInfo passthrough where you can use a simple ioctl() on an object in a SMB2/3 share and pull the full security descriptor. It would be fairly trivial to expand this to allow setting the security descriptor too using SetInfo. We can add that when there is a need. Now, since this is available through a simple ioctl() interface, you can access this

Hi Kraus, I know that Gluster can be exported over NFS-Ganesha (supports v4.X), Samba (protocol 1.0 in order to get 'real' permissions), Apple's stuff and if you rebuild the source - you can use the built-in gNFS (supports NFS v3 over tcp) all at once. Yet, I'm not sure about the ACLs, so you should either test it yourself or ask on the gluster mailing list. Deployment

Hi, I want to use the SMB3 POSIX extensions in the latest Samba (with SMB3.1.1, vers=3.1.1). By following the user manual, I have added the "posix" mount option when mounting, but it shows the following error messages. Error messages: [xxxxx] CIFS VFS: Server does not support mounting with posix SMB3.11 extensions. [xxxxx] CIFS VFS: cifs_mount failed w/return code = -95 Mount option:

I passed by the changelog for the Linux CIFS Kernel Module at https://wiki.samba.org/index.php/LinuxCIFSKernel. The following two sections caught my attention: >> 4.19 Kernel (69 changesets, module version 2.13) >>Allow cifs.ko to be built with insecure dialects disabled (vers=1.0 and vers=2.0 not allowed). Add support for snapshot >> mounts (specifying "snapshot="

Hello, I am using Samba version 4.2.0rc4-GIT-4701d74. When using a connection in protocol smb2 or smb3, the unix client says symlinks are not supported, for example: # mount //ip.addr/Programs ./tmp -o vers=3.0 # cd tmp # ln -s bla blub ln: failed to create symbolic link ?blub?: Operation not supported # mount //ip.addr/Programs on /mnt/tmp type cifs

On Fri, Mar 01, 2019 at 08:05:52AM +1000, ronnie sahlberg wrote: > In current kernels we have the new IOCTL / QueryInfo passthrough where > you can use a simple ioctl() on an object in a SMB2/3 share and pull > the full security descriptor. > It would be fairly trivial to expand this to allow setting the > security descriptor too using SetInfo. We can add that when there is a >

HI , We have come up with a utility called smbxcals which is derived from smbcals, where we no need to establish the client connection to perform ACLs operations, by just giving the absolute path as a paratmeter can list and set ACLs as below, # smbxcacls /root/FOO/ REVISION:1 CONTROL:0x8404 OWNER:DEMOSP\Administrator GROUP:DEMOSP\Domain Users ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL

The SMB3 POSIX extensions is different from the old Unix extensions. The Unix extensions can only support vers=1.0, but the new SMB3 POSIX extensions can support SMB3.1.1, vers=3.1.1. You can check this 2018 presentation slides: https://www.snia.org/sites/default/files/SDC/2018/presentations/SMB/Steve_French_SMB311.pdf Page 12 shows that POSIX extensions has been added. Page 22 shows that SMB3