Related note:
Anyone knows if Samba honors NFSv4-style ACLs?
We have a Netapp here which appears to be only NFSv4 server in the world having fully
fledged ACLs functionality - unfortunately it can not translate NFSv4 acls to Windows ACLs
despite their similarity.
I was hoping Samba could possibly do a better job here...
Ondrej
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: Thursday, February 23, 2017 9:35 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: Setting ACLs through Samba from Windows?
On Wed, Feb 22, 2017 at 04:56:07PM -0800, Omen Wild wrote:
A small group of us have been trying to get our Ubuntu servers fully
integrated into AD with sssd and Samba. We have slowly chipped away at
the issues. We believe we are left with one major issue: Windows
cannot set ACLs through Samba. The Windows permission dialog seems to
work, but when you click Apply they vanish, and getfacl on Ubuntu
shows they were not applied.
The host is Ubuntu 16.04.2, up to date as of today, so sssd
1.13.4-1ubuntu1.1 and Samba 2:4.3.11+dfsg-0ubuntu0.16.04.3.
Our AD is set up with
OU.AD3.UCDAVIS.EDU as a child domain in the same
forest as the parent domain,
AD3.UCDAVIS.EDU, with users in
AD3.UCDAVIS.EDU and computers and groups in
OU.AD3.UCDAVIS.EDU.
The sssd part seems to be setup correctly. We can login via SSH and
auth correctly with Samba. Windows honors the ACLs that are set on the
Ubuntu side, but setting ACLs on Windows fails to actually apply. The
Samba config is attached.
[storage] is on ZFS with:
root@phys-adtest:~# zfs get all storage | grep acl
storage aclinherit restricted local
storage acltype posixacl local
And [storage2] is on ext4 with the user_xattr mount option added.
The behavior, where ACLs vanish after clicking Apply in Windows is the
same with both of them.
I had previously found a thread with the issue on a Samba mailing list
indicating it "must be a sssd issue because it works with winbind",
but can't find the thread now.
Anyone have any clues as to what may be going wrong or what config
options I should check? I can post debug logs if it would help.
Yes, Samba debug logs would be useful. One of the more recent issues which might not be
fixed in the SSSD ubuntu package you use is
https://fedorahosted.org/sssd/ticket/3028. Do
you have a chance to test with SSSD 1.14.x?
HTH
bye,
Sumit
Thanks,
Omen
--
Omen Wild
Systems Administrator
Metro Cluster
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the #
smb.conf(5) manual page in order to understand the options listed #
here. Samba has a huge number of configurable options most of which #
are not shown in this example # # Some options that are often worth
tuning have been included as # commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command #
"testparm" to check that you have not made any basic syntactic #
errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
security = ads
workgroup = OU
realm =
OU.AD3.UCDAVIS.EDU
netbios name = PHYS-ADTEST
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
template homedir = /home/%u
password server = *
server string = Samba Server
log file = /var/log/samba/log.%m
max log size = 5000
log level = 999
load printers = No
cups options = raw
# This stops an annoying message from appearing in logs
printcap name = /dev/null
local master = no
domain master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = yes
name resolve order = wins bcast host lmhosts
#======================= Share Definitions =======================
# Un-comment the following (and tweak the other settings below to
suit) # to enable the default home directory shares. This will share
each # user's home directory as \\server\username [homes]
comment = Home Directories
browseable = no
read only = no
valid users = %S
[storage]
comment = PHYS-ADTEST Test space (ZFS)
browseable = yes
read only = no
path = /storage
writable = yes
read only = no
#
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
map acl inherit = yes
store dos attributes = yes
acl group control = yes
dos filemode = yes
#
https://aisalen.wordpress.com/2007/08/10/acls-on-samba/
acl map full control = yes
create mask = 0600
directory mask = 0700
#
http://www.techtutorials.net/articles/integrating_a_linux_server_into_act...
inherit acls = yes
inherit permissions = yes
[storage2]
comment = PHYS-ADTEST Test space (ext4)
browseable = yes
read only = no
path = /storage2
writable = yes
read only = no
#
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
map acl inherit = yes
store dos attributes = yes
acl group control = yes
dos filemode = yes
#
https://aisalen.wordpress.com/2007/08/10/acls-on-samba/
acl map full control = yes
create mask = 0600
directory mask = 0700
#
http://www.techtutorials.net/articles/integrating_a_linux_server_into_act...
inherit acls = yes
inherit permissions = yes
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.