Web lists-archives.com

Re: [Samba] Windows ACLs on share

Am 03.01.19 um 15:29 schrieb Rowland Penny via samba:
> On Thu, 3 Jan 2019 15:08:46 +0100
> "Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:
>> We are in the process of switching over shares from the old way of
>> doing this to Windows ACLs:
>> disable "valid users" "write list" etc
>> and set ACLs via Windows Explorer ...
>> And I struggle.
> Are you following this:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs


>> I am asking for a way to "start ACLs from scratch".
>> I ran "setfacl -b -R" on the dir on the samba server and did a "chown
>> -R root:10513" to hand it to "domain users"
> That isn't using Windows ACLs

Sure. I just wanted to get things going by adjusting ... ok ok

>> in Windows Explorer we try to edit the Permissions in "Computer
>> Management" and get errors around writing to some "container" (I get
>> the msg in german, would have to google for english error msg)
> Please either post the message as is, or the google translation.

it is "Failed to enumerate objects in the container: Access is denied"

>> Could someone pls advise?
>> Addon: a second share works fine with ACLs already, so samba itself
>> should be OK.
> If it works on one share, it should work on all, perhaps posting
> smb.conf may help.

sure, sorry.

This is samba-4.8.6, DM server, gentoo. If important, I don't have
"samba-tool" binary, due to some gentoo specific issue ...


smb.conf, shortened and anonymized.
pls note the heading:

# cat /etc/samba/smb.conf
# Samba config file
# from sgw 2018/jun/15
# with help from Rowland

unix charset = iso8859-15

security = ads
realm = somecompany.INTRA
workgroup = somecompany

netbios aliases = u1somecompany
server string = U1somecompany

winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes

template homedir = /mnt/MSA2040/smb/Homes/%D/%U

restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
obey pam restrictions = yes

interfaces =
bind interfaces only = Yes

idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config somecompany : range = 10000-20000
idmap config somecompany : backend = rid

# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes

unix extensions = no
follow symlinks= yes
wide links= yes

load printers = no
printcap name = /dev/null

acl allow execute always = True

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir write pwrite rename unlink \
		     chmod fchmod chown fchown ftruncate
full_audit:facility = local5
full_audit:priority = notice

	comment = Home Directories
	#path = /mnt/MSA2040/smb/Homes/somecompany/%U
	#path = /mnt/MSA2040/smb/Homes/somecompany/%S
	valid users = %S
	browseable = yes
	read only = no
	create mode = 0750
	#directory mask = 0700

	path = /mnt/MSA2040/smb/Projekte
	read only = No

	path = /mnt/MSA2040/smb/QM
	read only = No


observation, maybe important:

getfattr -n security.NTACL -d Projekte
# file: Projekte

# getfattr -n security.NTACL -d QM/
QM/: security.NTACL: No such attribute

(share "projekte" works fine, share "QM" not)

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba