Re: [Samba] "missing security tab" and related ACL issues
- Date: Fri, 7 Sep 2018 14:25:27 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] "missing security tab" and related ACL issues
On Fri, 7 Sep 2018 14:02:01 +0200
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> Am 07.09.18 um 12:45 schrieb Rowland Penny via samba:
> > On Fri, 7 Sep 2018 11:22:36 +0200
> > "Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> >> At a customer server (gentoo linux, so far only Samba version
> >> 4.7.7) we tried to use Windows ACLs and failed:
> >> no security tab in Windows ... for local C: yes, not on samba
> >> shares
> >> Yes, I followed
> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >> and have the vfs module enabled etc
> >> -
> >> Now I consider that the kernel doesn't have the necessary flags
> >> set.
> >> I get
> >> # getfattr -n security.NTACL -d /mnt/MSA2040/smb/IT
> >> /mnt/MSA2040/smb/IT: security.NTACL: Operation not supported
> >> but
> >> # getfacl /mnt/MSA2040/smb/IT
> >> getfacl: Removing leading '/' from absolute path names
> >> # file: mnt/MSA2040/smb/IT
> >> # owner: ittner
> >> # group: dom�nen-benutzer
> >> user::rwx
> >> group::rwx
> >> other::r-x
> >> -
> >> From the old kernel config I see these flags unset:
> >> # CONFIG_EXT4_FS_POSIX_ACL is not set
> >> # CONFIG_EXT4_FS_SECURITY is not set
> >> So I prepared a new kernel with these 2 flags enabled and will
> >> reboot at 2:30pm ... We'll see!
> >> Any other issues I might miss here?
> > Apart from the fact getattr works on an EA and getfacl works on
> > extended ACL's i.e. different things ? ;-)
> what? One works, the other not ... I interpret that the kernel
> doesn't support the ACL-feature of ext4
>From what you have posted it doesn't, but when you do get then working,
you need to understand that EA's and ACL's can work together or
If 'acl_xattr:ignore system acls = yes' is set, they work
independently, if it isn't, they work together, see 'man
vfs_acl_xattr' for more info.
> > Stop me if I am wrong, but isn't 'benutzer' German for 'users' ?
> > What is the the German for 'admins' ?
> wbinfo -g
> shows "dom�nen-admins"
> # wbinfo -g | grep -i admin
> specops endpoint protection report admins
> Binary file (standard input) matches
> ?? no "domänen-admins" in here
Very strange, I get:
Okay, hands up, who kidnapped 'enterprise admins' & 'domain admins' :-)
> net rpc rights grant "DOM\domänen-admins" SeDiskOperatorPrivilege -U
> fails because the group is not found
Well it would fail, wouldn't it, your 'domain admins' group has been
> I asked that already some times ago
> and I try to work around that by granting that right to a group
> called IT and the few admins in there
We need to find if the group has actually disappeared.
Run this on a DC:
ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)' -UAdministrator
Replace 'dc3' with the DC's name.
It should display the Domain Admins object
> At 2:30pm we plan to reboot into the other kernel.
See here: https://wiki.samba.org/index.php/File_System_Support
If it passes the tests there, you should be good to go.
To unsubscribe from this list go to the following URL and read the