Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba4: where are ACLs stored?
403 views
Skip to first unread message
Klaus Hartnegg
Sep 26, 2013, 10:12:03 AM9/26/13
to
Hi,
most file access rights sync between ACLs of linux and the security tab
of windows file properties, but not all. Where are the other infos stored?
I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
output changed when using windows to add individual right for a user
that already has rights inherited from the parent directory. Windows
remembers every detail of these changes, even after a reboot, so it must
be stored somewhere.
I'm concerned that backups might be incomplete when part of the access
rights are hidden somewhere else. Will 'cp -a' really copy everything?
Thanks,
Klaus
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
most file access rights sync between ACLs of linux and the security tab
of windows file properties, but not all. Where are the other infos stored?
I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
output changed when using windows to add individual right for a user
that already has rights inherited from the parent directory. Windows
remembers every detail of these changes, even after a reboot, so it must
be stored somewhere.
I'm concerned that backups might be incomplete when part of the access
rights are hidden somewhere else. Will 'cp -a' really copy everything?
Thanks,
Klaus
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Thomas Harold
Sep 26, 2013, 12:54:23 PM9/26/13
to
On 9/26/2013 10:12 AM, Klaus Hartnegg wrote:
> Hi,
>
> most file access rights sync between ACLs of linux and the security tab
> of windows file properties, but not all. Where are the other infos stored?
>
> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
> output changed when using windows to add individual right for a user
> that already has rights inherited from the parent directory. Windows
> remembers every detail of these changes, even after a reboot, so it must
> be stored somewhere.
>
> I'm concerned that backups might be incomplete when part of the access
> rights are hidden somewhere else. Will 'cp -a' really copy everything?
>
Under ext4, we mount with "rw,noatime,user_xattr,acl".
> Hi,
>
> most file access rights sync between ACLs of linux and the security tab
> of windows file properties, but not all. Where are the other infos stored?
>
> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
> output changed when using windows to add individual right for a user
> that already has rights inherited from the parent directory. Windows
> remembers every detail of these changes, even after a reboot, so it must
> be stored somewhere.
>
> I'm concerned that backups might be incomplete when part of the access
> rights are hidden somewhere else. Will 'cp -a' really copy everything?
>
http://docs.fedoraproject.org/en-US/Fedora/14/html/Storage_Administration_Guide/ext4mount.html
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System
According to the ext4 documentation page, barrier=barrier (a.k.a.
barrier=1) is the default, but it doesn't hurt to specify it in your
/etc/fstab file for the file system where your TDB files are stored.
Use "cat /proc/mounts" to see current file system mount options.
You can check kernel defaults for xattr and ACL support by finding your
config.gz or config file. Under CentOS, this is stored in /boot
# grep CONFIG_EXT4_FS /boot/config-2.6.32-358.18.1.el6.x86_64
or
# zgrep CONFIG_EXT4_FS /proc/config.gz
Command to check ACLs:
# getfacl
Command to check xattrs:
# getfattr
...
All that to say my guess is that the ACLs get stored in "acl" ext4 mount
option.
I know that rdiff-backup stores: "preserves subdirectories, hard links,
dev files, permissions, uid/gid ownership, modification times, extended
attributes, acls, and resource forks". So you would need to check that
your backup software supports both "extended attributes" and "ACLs".
Neurodesarrollo
Sep 26, 2013, 4:09:32 PM9/26/13
to
Hi List, I'm new in the list and with Samba4
I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
Previously I had samba3.6.x installed in my server, the users could
access to /home/(users) as like as users drive (U:) and modify every
thing in theirs drive.
But with Samba4:
- How my users can modify theirs home(eg.User:erick, with home
directory: /home/erick ) in the server, because in this, they can't
modify(Delete, Create, Rename and so so) any thing.
- When the user login in their session how can appear automatically the
drive U: for example with their home files.
My client PC are windows XP sp2 installed with theirs profiles "only local".
Thanks
T.I.A.
I provide my "smb.conf" configuration if you could help me.
[global]
server string = Samba4 Server en NEURODESARROLLO
workgroup = NEURODCAR
realm = NEURODCAR.MTZ.SLD.CU
netbios name = ALFA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc
dns forwarder = 10.44.0.10
logon path = \\%L\profiles\%U
logon home = \\%N\%U
logon drive = U:
domain logons = Yes
domain master = Yes
local master = Yes
preferred master = Yes
os level = 65
log level = 3
[homes]
comment = Home Directories
valid users = %ACCOUNTNAME%, %S, %D%w%S
browseable = No
read only = No
[profiles]
path = /usr/local/samba/Profiles/
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
#######################################
--
Jesús Reyes Piedra
Admin Red Neurodearrollo,Cárdenas
La caja decía:"Requiere windows 95 o superior"...
Entonces instalé LINUX.
I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
Previously I had samba3.6.x installed in my server, the users could
access to /home/(users) as like as users drive (U:) and modify every
thing in theirs drive.
But with Samba4:
- How my users can modify theirs home(eg.User:erick, with home
directory: /home/erick ) in the server, because in this, they can't
modify(Delete, Create, Rename and so so) any thing.
- When the user login in their session how can appear automatically the
drive U: for example with their home files.
My client PC are windows XP sp2 installed with theirs profiles "only local".
Thanks
T.I.A.
I provide my "smb.conf" configuration if you could help me.
[global]
server string = Samba4 Server en NEURODESARROLLO
workgroup = NEURODCAR
realm = NEURODCAR.MTZ.SLD.CU
netbios name = ALFA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc
dns forwarder = 10.44.0.10
logon path = \\%L\profiles\%U
logon home = \\%N\%U
logon drive = U:
domain logons = Yes
domain master = Yes
local master = Yes
preferred master = Yes
os level = 65
log level = 3
[homes]
comment = Home Directories
valid users = %ACCOUNTNAME%, %S, %D%w%S
browseable = No
read only = No
[profiles]
path = /usr/local/samba/Profiles/
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
#######################################
--
Jesús Reyes Piedra
Admin Red Neurodearrollo,Cárdenas
La caja decía:"Requiere windows 95 o superior"...
Entonces instalé LINUX.
Andrew Bartlett
Sep 30, 2013, 3:58:28 PM9/30/13
to
On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:
> Hi,
>
> most file access rights sync between ACLs of linux and the security tab
> of windows file properties, but not all. Where are the other infos stored?
>
> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
> output changed when using windows to add individual right for a user
> that already has rights inherited from the parent directory. Windows
> remembers every detail of these changes, even after a reboot, so it must
> be stored somewhere.
>
> I'm concerned that backups might be incomplete when part of the access
> rights are hidden somewhere else. Will 'cp -a' really copy everything?
Can you show me your smb.conf?
> Hi,
>
> most file access rights sync between ACLs of linux and the security tab
> of windows file properties, but not all. Where are the other infos stored?
>
> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
> output changed when using windows to add individual right for a user
> that already has rights inherited from the parent directory. Windows
> remembers every detail of these changes, even after a reboot, so it must
> be stored somewhere.
>
> I'm concerned that backups might be incomplete when part of the access
> rights are hidden somewhere else. Will 'cp -a' really copy everything?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Rowland Penny
Sep 30, 2013, 5:11:15 PM9/30/13
to
an AD DC and an old-style NT-PDC, most of the global part of it could be
removed. The [homes] section will not work as before, it needs to be
[home] and you need to supply the path to where ever they are stored.
Have a look here:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares
Rowland
Daniel Müller
Oct 1, 2013, 2:14:01 AM10/1/13
to
[homes]<-- THis IS WRONG WITH SAMBA 4
IT should be -->[home]
No valid Users and so on anymore.
Important-->path
--> readonly = No
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Rowland Penny
Gesendet: Montag, 30. September 2013 23:11
An: Neurodesarrollo; sa...@lists.samba.org
Betreff: Re: [Samba] Samba4: Home of Users
IT should be -->[home]
No valid Users and so on anymore.
Important-->path
--> readonly = No
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Rowland Penny
Gesendet: Montag, 30. September 2013 23:11
An: Neurodesarrollo; sa...@lists.samba.org
Betreff: Re: [Samba] Samba4: Home of Users
Klaus Hartnegg
Oct 1, 2013, 4:07:11 AM10/1/13
to
On 30.09.2013 21:58, Andrew Bartlett wrote:
> On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:
>> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
>> output changed when using windows to add individual right for a user
Meanwhile I found that 'cp -a' does transfer all rights settings. My
> On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:
>> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
>> output changed when using windows to add individual right for a user
conclusion is that the output of the commands 'getfattr -d' and/or
'samba-tool ntacl get' is incomplete.
> Can you show me your smb.conf?
# Global parameters
[global]
workgroup = DC
realm = DC.TESTDOMAIN.DE
netbios name = ALPHA
server role = active directory domain controller
dns forwarder = 195.50.140.114
dsdb:schema update allowed = yes
[netlogon]
path = /opt/samba/var/locks/sysvol/dc.testdomain.de/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
[sysvol]
read only = No
[test]
path = /srv/samba
read only = No
Partha Sarathi
Oct 1, 2013, 4:18:44 AM10/1/13
to
I hope you shoud use the below parameter under all share sections to get
the NTACL working.
vfs objects = acl_xattr,
On Tue, Oct 1, 2013 at 1:37 PM, Klaus Hartnegg <
klaus.h...@blickzentrum.de> wrote:
> On 30.09.2013 21:58, Andrew Bartlett wrote:
>
>> On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:
>>
>>> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
>>> output changed when using windows to add individual right for a user
>>>
>>
> Meanwhile I found that 'cp -a' does transfer all rights settings. My
> conclusion is that the output of the commands 'getfattr -d' and/or
> 'samba-tool ntacl get' is incomplete.
>
>
> > Can you show me your smb.conf?
>
> Default of sernet samba:
>
> # Global parameters
> [global]
> workgroup = DC
> realm = DC.TESTDOMAIN.DE
> netbios name = ALPHA
> server role = active directory domain controller
> dns forwarder = 195.50.140.114
> dsdb:schema update allowed = yes
>
> [netlogon]
> path = /opt/samba/var/locks/sysvol/dc**.testdomain.de/scripts<http://dc.testdomain.de/scripts>
>
--
Thanks & Regards
-Partha
the NTACL working.
vfs objects = acl_xattr,
On Tue, Oct 1, 2013 at 1:37 PM, Klaus Hartnegg <
klaus.h...@blickzentrum.de> wrote:
> On 30.09.2013 21:58, Andrew Bartlett wrote:
>
>> On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:
>>
>>> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
>>> output changed when using windows to add individual right for a user
>>>
>>
> Meanwhile I found that 'cp -a' does transfer all rights settings. My
> conclusion is that the output of the commands 'getfattr -d' and/or
> 'samba-tool ntacl get' is incomplete.
>
>
> > Can you show me your smb.conf?
>
> Default of sernet samba:
>
> # Global parameters
> [global]
> workgroup = DC
> realm = DC.TESTDOMAIN.DE
> netbios name = ALPHA
> server role = active directory domain controller
> dns forwarder = 195.50.140.114
> dsdb:schema update allowed = yes
>
> [netlogon]
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
> [test]
> path = /srv/samba
> read only = No
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
> [test]
> path = /srv/samba
> read only = No
>
>
> --
> To unsubscribe from this list go to the following URL and read the
>
--
Thanks & Regards
-Partha
Klaus Hartnegg
Oct 1, 2013, 4:37:20 AM10/1/13
to
Am 01.10.2013 10:18, schrieb Partha Sarathi:
> I hope you shoud use the below parameter under all share sections to get
> the NTACL working.
>
> vfs objects = acl_xattr,
Doesn't make a difference. Seems to be on by default, even if not in
> I hope you shoud use the below parameter under all share sections to get
> the NTACL working.
>
> vfs objects = acl_xattr,
smb.conf. When I run testparam it shows it in global section:
vfs objects = dfs_samba4, acl_xattr
Andrew Bartlett
Oct 1, 2013, 2:32:11 PM10/1/13
to
On Tue, 2013-10-01 at 13:48 +0530, Partha Sarathi wrote:
> I hope you shoud use the below parameter under all share sections to
> get the NTACL working.
>
>
> vfs objects = acl_xattr,
Indeed, you would expect that to be needed.
> I hope you shoud use the below parameter under all share sections to
> get the NTACL working.
>
>
> vfs objects = acl_xattr,
However, we put that in to the smb.conf 'by magic' whenever we see
'server role = active directory domain controller'. Frankly I think it
should be the default, except for the fact that we didn't want to change
it for upgrading users. We used the 'new' server role as a chance to at
least make it a default for this important use case.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Neurodesarrollo
Oct 9, 2013, 9:14:15 AM10/9/13
to
El 30/09/13 17:11, Rowland Penny escribió:
Thanks friends, all working fine now.
I want ask another question: Can do it without Window$, the last part in
the URL above (Change permitions of the share files) with a tools of Samba4.
> On 30/09/13 21:45, Neurodesarrollo wrote:
>> El 26/09/13 16:09, Neurodesarrollo escribió:
>>> Hi List, I'm new in the list and with Samba4
>>> I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
>>> Previously I had samba3.6.x installed in my server, the users could
>>> access to /home/(users) as like as users drive (U:) and modify every
>>> thing in theirs drive.
>>>
>>> But with Samba4:
>>> - How my users can modify theirs home(eg.User:erick, with home
>>> directory: /home/erick ) in the server, because in this, they can't
>>> modify(Delete, Create, Rename and so so) any thing.
>>> - When the user login in their session how can appear automatically the
>>> drive U: for example with their home files.
>>>
>>> My client PC are windows XP sp2 installed with theirs profiles "only local".
>>>
>>> Thanks
>>>
>>> T.I.A.
>>>
>>>
>>> I provide my "smb.conf" configuration if you could help me.
>>>
>>>
>>> [global]
>>> server string = Samba4 Server en NEURODESARROLLO
>>> workgroup = NEURODCAR
>>> realm = NEURODCAR.MTZ.SLD.CU
>>> netbios name = ALFA
>> El 26/09/13 16:09, Neurodesarrollo escribió:
>>> Hi List, I'm new in the list and with Samba4
>>> I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
>>> Previously I had samba3.6.x installed in my server, the users could
>>> access to /home/(users) as like as users drive (U:) and modify every
>>> thing in theirs drive.
>>>
>>> But with Samba4:
>>> - How my users can modify theirs home(eg.User:erick, with home
>>> directory: /home/erick ) in the server, because in this, they can't
>>> modify(Delete, Create, Rename and so so) any thing.
>>> - When the user login in their session how can appear automatically the
>>> drive U: for example with their home files.
>>>
>>> My client PC are windows XP sp2 installed with theirs profiles "only local".
>>>
>>> Thanks
>>>
>>> T.I.A.
>>>
>>>
>>> I provide my "smb.conf" configuration if you could help me.
>>>
>>>
>>> [global]
>>> server string = Samba4 Server en NEURODESARROLLO
>>> workgroup = NEURODCAR
>>> realm = NEURODCAR.MTZ.SLD.CU
>>> netbios name = ALFA
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbind, ntp_signd, kcc
>>> dns forwarder = 10.44.0.10
>>> logon path = \\%L\profiles\%U
>>> logon home = \\%N\%U
>>> logon drive = U:
>>> domain logons = Yes
>>> domain master = Yes
>>> local master = Yes
>>> preferred master = Yes
>>> os level = 65
>>> log level = 3
>>>
>>> [homes]
>>> comment = Home Directories
>>> valid users = %ACCOUNTNAME%, %S, %D%w%S
>>> browseable = No
>>> read only = No
>>>
>>> [profiles]
>>> path = /usr/local/samba/Profiles/
>>> read only = No
>>>
>>> [netlogon]
>>> path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
>>> winbind, ntp_signd, kcc
>>> dns forwarder = 10.44.0.10
>>> logon path = \\%L\profiles\%U
>>> logon home = \\%N\%U
>>> logon drive = U:
>>> domain logons = Yes
>>> domain master = Yes
>>> local master = Yes
>>> preferred master = Yes
>>> os level = 65
>>> log level = 3
>>>
>>> [homes]
>>> comment = Home Directories
>>> valid users = %ACCOUNTNAME%, %S, %D%w%S
>>> browseable = No
>>> read only = No
>>>
>>> [profiles]
>>> path = /usr/local/samba/Profiles/
>>> read only = No
>>>
>>> [netlogon]
>>> path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
>>> read only = No
>>>
>>> [sysvol]
>>>
>>> [sysvol]
I want ask another question: Can do it without Window$, the last part in
the URL above (Change permitions of the share files) with a tools of Samba4.
0 new messages