Join Log in
Score:0
Plokko avatar Server

Samba Windows ACL not working

bv flag
Plokko

I want to configure Samba to manage Windows ACL and manage them from Windows via the security tab. The Samba server is standalone and not part of an AD tree; i already followed various offical and unofficial guides but nothing seems to work.

The machine runs on a Debian 12 LXC on ZFS, the ZFS mountpoints do support ACL:

$ mount | grep acl
rpool/data/subvol-107-disk-0 on / type zfs (rw,noatime,xattr,posixacl)
rpool/data/subvol-107-disk-1 on /data/share1 type zfs (rw,noatime,xattr,posixacl)

I did create a ZFS pool for each share, in this example is /data/share1.

Samba is version 4.17.9-Debian

The folder ACLs are already set:

$ ls -lah /data/share1/
total 12K
drwxrwxr-x+ 3 administrator administrator 3 Jul 24 13:13 .
drwxr-xr-x  3 root          root          3 Jul 24 11:09 ..
drwxrwxr-x+ 2 administrator administrator 2 Jul 24 11:59 test

$ getfacl /data/share1/
getfacl: Removing leading '/' from absolute path names
# file: data/share1/
# owner: administrator
# group: administrator
user::rwx
user:administrator:rwx
group::r-x
mask::rwx
other::r-x

I already configured the smb.conf appropriately:

[global]
        workgroup = CMC
        username map = /etc/samba/users.map
        server string = file-server

        log level = 5
        log file = /var/log/samba/log.%m
        max log size = 1000
        logging = file
        panic action = /usr/share/samba/panic-action %d


        server role = standalone server
        obey pam restrictions = yes
        map to guest = bad user


        acl allow execute always = yes

[homes]
        comment = Home Directories
        browseable = no
        map acl inherit = yes
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = yes


[share1]

        path = /data/share1/test
        guest ok = no
        comment = Cartella di test smb
        read only = no
        browseable = yes
        map acl inherit = yes
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = no

        store dos attributes = yes
        inherit acls = yes

From my tests if i use this configuration for the share:

        map acl inherit = yes
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = yes

i get nothing from the Window security tab:

Acl error 1

If i insted use linuxacl with this configuration:

        map acl inherit = yes
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = no

        store dos attributes = yes
        inherit acls = yes

i get more feedback in the windows security tab

acl error2

but it keeps giving me access denied if i try to edit ACLs from there.

58
0 + 3
zfs
Nicolas Formichella avatar
in flag
Nicolas Formichella
You're likely missing idmapping, this [question](https://serverfault.com/a/291994/604280) may help you
1
Reply
Plokko avatar
bv flag
Plokko
idmapping is necessary even without an Active Directory domain?!?
0
Reply
Plokko avatar
bv flag
Plokko
I may have found the cause: i need nfsv4 support on the filesystem otherwise i cannot save advanced ACLs, they may work but some permission will be trimmed
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.