Web lists-archives.com

Re: [Samba] ACL SHARE




Hello!
From what I realized the problem is not in Samba, but in the way that ACL work, with mascara question.
I did several tests:

touch  bla
chmod 700
ls -l bla
-rwx------ 1 USERX domain users 0 Jun 29 09:53 bla

cp bla /home/QUALIDADELEIT

getfacl  /home/QUALIDADELEIT

getfacl /home/QUALIDADELEITE/
getfacl: Removing leading '/' from absolute path names
# file: home/QUALIDADELEITE/
# owner: administrator
# group: qualidadeleite
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:qualidadeleite:rwx
default:mask::rwx
default:other::---

getfacl bla

# file: bla
# owner: root
# group: root
user::rw-
group::rwx *#effective:r--*
group:qualidadeleite:rwx *#effective:r--*
mask::r--
other::---


Even configuring mask, the "effective" permission and recalculated by my file is 700 ...

Any ideas on that?


Regards


Em 27-06-2017 17:29, Rowland Penny via samba escreveu:
On Tue, 27 Jun 2017 21:55:15 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

But thats easy scriptable. ;-)
I have my scripts always ready for that.
This is why i run samba in AD mode and not RID.

If you compair the AD backend disavantage
Disadvantages:
If the Windows Active Directory Users and Computers (ADUC) program is
not used, you have to manual track ID values to avoid duplicates. The
values for the RFC2307 attributes must be set manually.
You don't have to manually track the IDs, if you are using your own
scripts, you can script around this by adding the two missing
attributes and then updating these after adding a new user or group

To RID
Disadvantages:
File ownership of domain users and groups are lost, when the local
ID mapping database corrupts. << is ow so nasty.
Corrupt databases are possible whatever you use, but when you get one,
yes it is nasty.
All users on the domain member get the same login shell and home
directory base path assigned. User and group IDs are only the same on
other domain members using the rid back end, if the same ID ranges
are configured for the domain. All accounts and groups are
automatically available on the domain member and individual entries
cannot be excluded. Not recommended for multi-domain environments
because objects in different domains having the same relative
identifier (RID) get the same ID assigned.
Agree with all those points, though I should comment on the last one.
Work has been made to make it so that the DOMAIN ranges can overlap,
though this will mean that you will probably not be able to use
'winbind use default domain = yes', not sure if this will make 4.7
And managing the uid/gids from win7 RSAT tools is fine for me.

But thats my opinion.

RID.. Fine for home or a office server without shares or shared home
folders or guest shares. But you main document server, always for AD
for me. It happend to me one.. 9 years ago. Arg .. At that point i
also didnt have nice scripts.. A night work.. :-/


I would tend to agree, if you only have one or two fileservers, you
can use the 'rid' backend, any more than that, use the 'ad' backend. If
you use a DC as a fileserver (not really recommended, but sometimes you
have to) use the 'ad' backend.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba