Web lists-archives.com

Re: [Samba] "missing security tab" and related ACL issues




Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:
On Fri, 7 Sep 2018 11:22:36 +0200
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:


At a customer server (gentoo linux, so far only Samba version 4.7.7)
we tried to use Windows ACLs and failed:

no security tab in Windows ... for local C: yes, not on samba shares

Yes, I followed

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

and have the vfs module enabled etc

-

Now I consider that the kernel doesn't have the necessary flags set.

I get

# getfattr -n security.NTACL -d  /mnt/MSA2040/smb/IT
/mnt/MSA2040/smb/IT: security.NTACL: Operation not supported

but

# getfacl /mnt/MSA2040/smb/IT
getfacl: Removing leading '/' from absolute path names
# file: mnt/MSA2040/smb/IT
# owner: ittner
# group: dom�nen-benutzer
user::rwx
group::rwx
other::r-x

-

  From the old kernel config I see these flags unset:

# CONFIG_EXT4_FS_POSIX_ACL is not set
# CONFIG_EXT4_FS_SECURITY is not set

So I prepared a new kernel with these 2 flags enabled and will reboot
at 2:30pm ... We'll see!

Any other issues I might miss here?



Apart from the fact getattr works on an EA and getfacl works on
extended ACL's i.e. different things ? ;-)

what? One works, the other not ... I interpret that the kernel doesn't support the ACL-feature of ext4


Stop me if I am wrong, but isn't 'benutzer' German for 'users' ?
What is the the German for 'admins' ?

wbinfo -g

shows "dom�nen-admins"

while


# wbinfo -g | grep -i admin
specops endpoint protection report admins
dnsadmins
schema-admins
organisations-admins
Binary file (standard input) matches

?? no "domänen-admins" in here

and

net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege -U "DOM\administrator"

fails because the group is not found

I asked that already some times ago

and I try to work around that by granting that right to a group called IT and the few admins in there

At 2:30pm we plan to reboot into the other kernel.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba