Samba 3.6 or Samba 4 ?

Nick_C · 01-23-2013, 03:00 PM

I am trying to setup a Samba Server and a Windows share with Full ACL support. From what I have read and from my own experimentation I need to use vfs_acl_xattr to do this.

At the moment I am not having too much success trying this on Samba 3.6 so I am wondering about trying Samba 4. Only thing is I keep reading that Samba 4 is experimental and should not be used on a production Server yet.

Has anyone got an opinion about whether I would be better off using Samba 4 or not.

Thanks,
Nick

Ser Olmy · 01-24-2013, 07:20 PM

You should be able to get full ACL support with either version of Samba by simply adding the acl and user_xattr mount options to the underlying file system. The VFS module is not required.

As for stability, Sambe 4.0 is pretty good, but if you don't actually need AD DC functionality there's nothing wrong with sticking with 3.6 for now.

Nick_C · 01-25-2013, 04:26 AM

Well need to connect to a Windows AD DC but wasn't thinking of using Samba as the DC.

Got acl & user_xattr in the fstab but what about smb.conf do I need anything more than:
nt acl support = yes
inherit acls = Yes
map acl inherit = Yes

Nick_C · 01-25-2013, 06:20 AM

Not sure that the above configuration is enough, using that I don't seem to get full ACL support.
Deleting all permissions from windows in preparation for adding our owm ACL entries doesn't work and a whole load of default entries appear back again:

System - Full - This folder, subfolders and files
Authenticated Users - Read & Execute - This folder, subfolders and files
Domain Admins - Full - This folder, subfolders and files
Everyone - None - This folder, subfolders and files
Administrator - Full - This folder only
Domain Users - None - This folder only
Creator Owner - Full - Subfolders and files only
Creator Group - None - Subfolders and files only
Domain Users - Full - Subfolders and files only

Any idea where these are comming from?

Nick_C · 01-27-2013, 02:37 PM

Currently got samba setup as follows:

/etc/fstab:

acl,user_xattr

/etc/samba/smb.conf:

[WinShare]
comment = Windows Share
path = /mnt/WinShare
read only = no
admin users = "MYDOMAIN\Nick"
nt acl support = yes
inherit acls = yes
map acl inherit = yes
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes

Problem is there are a bunch of fixed default ACL entries which cannot be removed:

System - Full - This folder, subfolders and files
Authenticated Users - Read & Execute - This folder, subfolders and files
Domain Admins - Full - This folder, subfolders and files
Everyone - None - This folder, subfolders and files
Administrator - Full - This folder only
Domain Users - None - This folder only
Creator Owner - Full - Subfolders and files only
Creator Group - None - Subfolders and files only
Domain Users - Full - Subfolders and files only

Anyone know how I can get rid of these?

Thanks,
Nick

scheidel21 · 01-27-2013, 05:08 PM

Those defaults exist in Windows domains by default, I highly doubt you can or should get rid of them.

Nick_C · 01-29-2013, 04:24 AM

Well if Samba is to provide a completely seamless share to windows users such that they do not even know they are using Linux/Samba then these should be able to be deleted as they can be in windows.

From what I have read there should be some way of getting Samba to completely emulate a windows share, I just haven't found the correct settings yet.

scheidel21 · 01-29-2013, 06:00 AM

You might be able to delete these in Windows (though I may be wrong on that) but there would be no reason you would ever delete these on windows. Why do you want to delete them off of Samba? It could cause issues working with Widows machines, especially in a domain environment.

Nick_C · 01-29-2013, 06:13 AM

Well we want to be able to set our own permissions which I then hope to see inherited by everything on that share.

For example these are a waste of time:

Everyone - None - This folder, subfolders and files
Domain Users - None - This folder only
Creator Group - None - Subfolders and files only

And we might not want everyone on the domain to have:

Authenticated Users - Read & Execute - This folder, subfolders and files
Domain Users - Full - Subfolders and files only

scheidel21 · 01-29-2013, 07:44 AM

OK I see what you want now, I was mistaken in my understanding of what you were seeking. You should be able to do what you are trying to do. For testing could you try disabling inherit acls on the share and then delete and see if they reappear.

Nick_C · 01-29-2013, 10:31 AM

Slightly different results but still get the following ACEs added back again:

Everyone - None - This folder, subfolders and files
root - Full - This folder only
Enterprise Admins - None - This folder only
Creator Owner - Full - Subfolders and files only
Creator Group - None - Subfolders and files only

scheidel21 · 02-05-2013, 06:37 PM

This is an odd one, I'm out of suggestions at the moment, sorry.

Nick_C · 02-06-2013, 06:16 AM

What I was hopeing for was to find someome else who is using Samba with these ACL options to find out if they get the same behaviour. However from lack of other replies I guess no one else is actually using this. Thanks for your help.

scheidel21 · 02-06-2013, 07:02 AM

A thought, perhaps user and group mapping from the Linux file system to samba mappings of Windows users and groups is causing these to reappear.

Nick_C · 02-10-2013, 10:06 AM

Yep that sounds like a distinct possibility. Is there a way to turn off all user & group mapping from smb.conf? I have had a look through the docs and nothing obvious on how to do that.

Thanks,
Nick