Web lists-archives.com

[Samba] Dir ACL through windows and chmod




Samba-4.3.5, Debian

smb.conf
===
[global]
    workgroup = WG
    security = ADS
    realm = WG.LOCAL

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    idmap config * : backend = tdb
    idmap config * : range = 2000-10000

    idmap config * : backend = rid
    idmap config * : range = 300000-400000

#    idmap config WG : backend = ad
#    idmap config WG : range = 300000-400000
#    idmap config WG : schema_mode = rfc2307

    winbind use default domain = yes
    winbind nss info = rfc2307
    winbind refresh tickets = yes

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    max log size = 1000
    log level = 5 vfs:1
    syslog = 5

    load printers = no
    printing = bsd
    show add printer wizard = no
    disable spoolss = yes
    printcap name = /dev/null

#======================= Share Definitions =======================

[n]
     comment = File share
     path = /mnt/n
     read only = no
    valid users = @"Domain Users" @"Domain Admins" @all
    admin users = admin @it
#    inherit acls = yes
    force create mode = 0777
    directory mask = 0770
    hide unreadable = yes

===

getfacl /mnt/n/01
===
# file: 01
# owner: admin
# group: g01
user::rwx
user:u01:rwx
group::rwx
group:admin:rwx
group:g01:rwx
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx       #effective:---
default:user:u01:rwx             #effective:---
default:group::---
default:group:g01:rwx            #effective:---
default:mask::---
default:other::---
===

In need folders have to be seen (and accessed) only by appropriate domain groups. For example, there are domain groups g01, g02, g03, etc, users in these groups have to see only "their" folders: u01 - \\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03 This is done by "Hide unreadable = yes" in smb.conf, by granting access (using "Security" tab in windows' folder rights) for concrete group to concrete directory and then chmod'ing this folder to 0770. But, if then I again modify ACLs through "Security" (for example - adding another group access to folder) samba sets 0777 to this folder and it becomes "visible" to all others. And I have again set 0770 on Samba server.
This seems to work, but:
- not good to windows admins, which only has to know about "Security" tab in folder rights; - mixing ACLs with unix rights makes a mess and seems not right way to solve task.

What is the "right way" to do such task?



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba