Web lists-archives.com

[Samba] Windows ACL behaviour in standalone fileservers (LDAP vs TDB)




Hi,

I'm building and managing standalone fileservers (security = user) with various passdb backends. I'm noticing different behaviour of Windows ACLs for servers with LDAP and TDB passdb backends.

In a LDAP backed server (which I started with) I can freely add filesystem permissions (eg for groups) to objects (files/folders) via the Windows (7) permissions editor.

In a TDB backed server I can only add permission to a folder for a group if the containing folder has (any) permissions for that group. Additionally I have to enter my credentials again in the permissions editor, which isn't needed on the LDAP backed server.

Configuration for both servers from a "result view" looks identical to me:
- "net groupmap list" is identical
- both use "security = user" and "acl_xattr"

I'm obviously not an expert for Windows ACLs, a workmate Windows Admin told me that the second behaviour is what he would expect, still I'm confused.

Samba is 4.8.3 on CentOS 7.

thx
Matthias

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba