Re: [Samba] Windows ACLs on share
- Date: Thu, 3 Jan 2019 15:19:39 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Windows ACLs on share
On Thu, 3 Jan 2019 15:46:24 +0100
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> Am 03.01.19 um 15:29 schrieb Rowland Penny via samba:
> > On Thu, 3 Jan 2019 15:08:46 +0100
> > "Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> >> We are in the process of switching over shares from the old way of
> >> doing this to Windows ACLs:
> >> disable "valid users" "write list" etc
> >> and set ACLs via Windows Explorer ...
> >> And I struggle.
> > Are you following this:
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >> I am asking for a way to "start ACLs from scratch".
> >> I ran "setfacl -b -R" on the dir on the samba server and did a
> >> "chown -R root:10513" to hand it to "domain users"
> > That isn't using Windows ACLs
> Sure. I just wanted to get things going by adjusting ... ok ok
> >> in Windows Explorer we try to edit the Permissions in "Computer
> >> Management" and get errors around writing to some "container" (I
> >> get the msg in german, would have to google for english error msg)
> > Please either post the message as is, or the google translation.
> it is "Failed to enumerate objects in the container: Access is denied"
> >> Could someone pls advise?
> >> Addon: a second share works fine with ACLs already, so samba itself
> >> should be OK.
> > If it works on one share, it should work on all, perhaps posting
> > smb.conf may help.
> sure, sorry.
> This is samba-4.8.6, DM server, gentoo. If important, I don't have
> "samba-tool" binary, due to some gentoo specific issue ...
> smb.conf, shortened and anonymized.
> pls note the heading:
> # cat /etc/samba/smb.conf
> # Samba config file
> # from sgw 2018/jun/15
> # with help from Rowland
> unix charset = iso8859-15
> security = ads
> realm = somecompany.INTRA
> workgroup = somecompany
> netbios aliases = u1somecompany
> server string = U1somecompany
> winbind cache time = 10
> winbind use default domain = yes
> winbind refresh tickets = Yes
> template homedir = /mnt/MSA2040/smb/Homes/%D/%U
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> invalid users = root bin daemon adm sync shutdown halt mail news \
> obey pam restrictions = yes
> interfaces = 192.168.100.4/24 127.0.0.1
> bind interfaces only = Yes
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config somecompany : range = 10000-20000
> idmap config somecompany : backend = rid
> # For ACL support on domain member
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
> store dos attributes = Yes
> unix extensions = no
> follow symlinks= yes
> wide links= yes
> load printers = no
> printcap name = /dev/null
> acl allow execute always = True
> # Audit settings
> full_audit:prefix = %u|%I|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir write pwrite rename unlink \
> chmod fchmod chown fchown ftruncate
> full_audit:facility = local5
> full_audit:priority = notice
> comment = Home Directories
> #path = /mnt/MSA2040/smb/Homes/somecompany/%U
> #path = /mnt/MSA2040/smb/Homes/somecompany/%S
> valid users = %S
> browseable = yes
> read only = no
> create mode = 0750
> #directory mask = 0700
> path = /mnt/MSA2040/smb/Projekte
> read only = No
> path = /mnt/MSA2040/smb/QM
> read only = No
> observation, maybe important:
Oh, it's more than important, guess where the Windows ACLs are
> getfattr -n security.NTACL -d Projekte
> # file: Projekte
> # getfattr -n security.NTACL -d QM/
> QM/: security.NTACL: No such attribute
> (share "projekte" works fine, share "QM" not)
are they both using the same filesystem, ownership etc ?
To unsubscribe from this list go to the following URL and read the