Web lists-archives.com

Re: [Samba] "missing security tab" and related ACL issues




On Fri, 7 Sep 2018 14:02:01 +0200
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:
> > On Fri, 7 Sep 2018 11:22:36 +0200
> > "Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> >>
> >> At a customer server (gentoo linux, so far only Samba version
> >> 4.7.7) we tried to use Windows ACLs and failed:
> >>
> >> no security tab in Windows ... for local C: yes, not on samba
> >> shares
> >>
> >> Yes, I followed
> >>
> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >>
> >> and have the vfs module enabled etc
> >>
> >> -
> >>
> >> Now I consider that the kernel doesn't have the necessary flags
> >> set.
> >>
> >> I get
> >>
> >> # getfattr -n security.NTACL -d  /mnt/MSA2040/smb/IT
> >> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported
> >>
> >> but
> >>
> >> # getfacl /mnt/MSA2040/smb/IT
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: mnt/MSA2040/smb/IT
> >> # owner: ittner
> >> # group: dom�nen-benutzer
> >> user::rwx
> >> group::rwx
> >> other::r-x
> >>
> >> -
> >>
> >>   From the old kernel config I see these flags unset:
> >>
> >> # CONFIG_EXT4_FS_POSIX_ACL is not set
> >> # CONFIG_EXT4_FS_SECURITY is not set
> >>
> >> So I prepared a new kernel with these 2 flags enabled and will
> >> reboot at 2:30pm ... We'll see!
> >>
> >> Any other issues I might miss here?
> >>
> >>
> > 
> > Apart from the fact getattr works on an EA and getfacl works on
> > extended ACL's i.e. different things ? ;-)
> 
> what? One works, the other not ... I interpret that the kernel
> doesn't support the ACL-feature of ext4

>From what you have posted it doesn't, but when you do get then working,
you need to understand that EA's and ACL's can work together or
independently.
If 'acl_xattr:ignore system acls = yes' is set, they work
independently, if it isn't, they work together, see 'man
vfs_acl_xattr' for more info. 

> 
> 
> > Stop me if I am wrong, but isn't 'benutzer' German for 'users' ?
> > What is the the German for 'admins' ?
> 
> wbinfo -g
> 
> shows "dom�nen-admins"
> 
> while
> 
> 
> # wbinfo -g | grep -i admin
> specops endpoint protection report admins
> dnsadmins
> schema-admins
> organisations-admins
> Binary file (standard input) matches
> 
> ?? no "domänen-admins" in here

Very strange, I get:
enterprise admins
domain admins
schema admins
dnsadmins

Okay, hands up, who kidnapped 'enterprise admins' & 'domain admins' :-)

> 
> and
> 
> net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege -U 
> "DOM\administrator"
> 
> fails because the group is not found

Well it would fail, wouldn't it, your 'domain admins' group has been
kidnapped.

> 
> I asked that already some times ago
> 
> and I try to work around that by granting that right to a group
> called IT and the few admins in there


We need to find if the group has actually disappeared.

Run this on a DC:

ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' -UAdministrator

Replace 'dc3' with the DC's name.

It should display the Domain Admins object

> 
> At 2:30pm we plan to reboot into the other kernel.
> 
> 

See here: https://wiki.samba.org/index.php/File_System_Support

If it passes the tests there, you should be good to go.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba