Ubuntu Server Samba and Windows ACLs

[H.Callahan]

when you have samba and posix acl, you'll be able to manage ACLs through the Security Dialog on the share, from Windows, just like you could with a Windows file server. It does help if you keep in mind that Microsoft ACl are not completely POSIX compliant - read 'man setfacl' to understand how things work from the Linux side as well, it sometimes helps to understand things

I am aware of that aspect. However, I did not read anywhere that ACL entries could not be made for individual users. All I really need is in the way of access is NONE, RO and RW. But, I DO need them to be able to be applied in different combinations for different users.

For your user problem :
As you don't have a domain or an other form of central user management, your users are local to the file server. This means you need to create user accounts (and groups) on the server itself. You'd have to do the same if this was a Windows file server, right ?

You can create them with the command "smbpasswd -add username'. These are NOT Linux user accounts. You may need to create linux user accounts for the same users as well - the account names will be the same but they will be separate entities.

Correct. ...and I HAVE created a test set of users on the Linux box and added them to the Samba users' database.

You also have to set the samba security model ('user' I think, but you need to check).

Yup. ...and already done.

When this works, The security dialog should recognise your samba users - you may have to use the search function (location = your server) to get them.
If this works, you can try groups as well.

This is where the wheels fall off the wagon. I can not add users and when I search for them, I get the message "An object named 'xxxxx' cannot be found. Check the selected object types and location for accuracy and ensure that you typed the object name correctly, or remove this object from the selection." This is in spite of the fact that the user does exist and is part of the Samba users. I can log in to the Samba server with that user and that user can create, edit and delete files.

It's probably best you read up on this in the official samba documentation or find one of their recipes that matches your situation.

http://www.samba.org/samba/docs/man/...sControls.html

I think I have been through that page, but I will check it again, just to be sure.

[koenn]

hm ... difficult. I have a working samba with posix ACL that I can manage with Windows Security Dialog, but it's an AD integrated samba, so it uses domain accounts. Works as expected.

I have an other samba with security=user, but it doesn"t have Posix ACl so it has only the user/group/other permission bits (and a representation of that visible in Windows ' security dialog)

So I can't test/search where your setup goes wrong (unless I setup Posix ACL on that 2nd box, but I was not really planning to).


Couple of ideas :
* you're absolutely sure you have Posix ACL working ? It should be visible when you run

Code:

mount

. Could you post that output ?

* do the posix acl work when you use them on the linux box, i.e. with setfacl and getfacl i.s.o windows gui ?

* ( Longshot: )You might have to give user account names in the form LOGONDOMAIN\username or LOGONDOMAIN\\username,, where LOGONDOMAIN is the hostname of the SAMBA server.

[H.Callahan]

Code:

/dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
/sys on /sys type sysfs (rw,noexec,nosuid,nodev)
varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755)
varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
udev on /dev type tmpfs (rw,mode=0755)
devshm on /dev/shm type tmpfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda3 on /media/Vol1 type ext3 (rw,relatime,acl)
securityfs on /sys/kernel/security type securityfs (rw)

/dev/sda3 is the Samba share.

[koenn]

looks OK to me.
Have you tried reading ACL with getfacl or editing them with setfacl ? Does that work ?

[H.Callahan]

looks OK to me.
Have you tried reading ACL with getfacl or editing them with setfacl ? Does that work ?

It appears to. Sample output from getfacl on a file on the share.

Code:

# file: test.txt
# owner: Harry
# group: SambaUsers
user::rw-
group::r--
other::r--

[koenn]

yes, but it shows nothing but the ordinary linux user(owner)/group/others permissions.

can you add one, eg

Code:

setfacl -m u:Tom:rwx /path/to/test.txt

does that work ? can you see the change with getfacl ? and from Windows ?

[ukripper]

i know you are not looking for PDC but you will find plenty of useful info in this thread in regards to samba - http://ubuntuforums.org/showthread.php?t=1184288

[H.Callahan]

yes, but it shows nothing but the ordinary linux user(owner)/group/others permissions.

can you add one, eg

Code:

setfacl -m u:Tom:rwx /path/to/test.txt

does that work ? can you see the change with getfacl ? and from Windows ?

getfacl from the server:

Code:

# file: test.txt
# owner: Harry
# group: SambaUsers
user::rw-
user:Tom:rwx
group::r--
mask::rwx
other::r--

And, yes, I can see user Tom in the Windows Security dialog and manipulate his settings and those changed settings are reflected in the Samba server's ACL. However, interestingly enough, I can not delete Tom from Windows. It appears to work, but the deletion does not propagate to Linux -- and if I close the Windows security dialog and then reopen it, Tom shows up again.

I can still not add anyone from the Windows dialog.

[H.Callahan]

i know you are not looking for PDC but you will find plenty of useful info in this thread in regards to samba - http://ubuntuforums.org/showthread.php?t=1184288

Good stuff!

I would like to do this in the future. The problem is two-fold. One, we are a non-profit organization and in this economy, we really have virtually no money to do anything. Secondly, so far, our Board of Directors has been vehemently anti-Linux. Since this file server is needed badly and there is no money to do it in a Windows-only environment, I am hoping that the Board will see this as a viable alternative and in-so finding out that Linux is not the devil. The server, though, needs to be fairly transparent to the staff (who will be using only Windows) for it to be acceptable. If I can get past that and get Linux in the door, I may be able to do a lot more for little money here. Having a domain would be one of those things.

[koenn]

And, yes, I can see user Tom in the Windows Security dialog and manipulate his settings and those changed settings are reflected in the Samba server's ACL. However, interestingly enough, I can not delete Tom from Windows. It appears to work, but the deletion does not propagate to Linux -- and if I close the Windows security dialog and then reopen it, Tom shows up again.

I can still not add anyone from the Windows dialog.

Interesting.
Well, I don't know then. I haven't done workgroups since windows 98 so I'm not sure where to look next. Sounds like a communication problem between Windows and Samba (eg in deleting the user from the ACL), or a protocol question (eg in Windows not being able to read a list of users off the server).

One last thing you could try is editing the ACL from the 'Advanced' section of the security dialog and see if that makes a difference. I've experienced that some settings against a samba server didn't work from the basic view, but were manageble in 'Advanced'. Maybe worth the try.

Other than that, hopefully we've narrowed it down sufficiently for someone else to help you further, or for you to know where to start looking for more help (maybe a samba forum ?)

Or you could work around it, eg if you add / remove users to the ACL with a sensible default, your colleagues/users might edit them further.

Since your just testing, do consider trying the PDC approach. It won't cost you anything extra, and might help solving this problem because domain users are known to the domain, not just to the server. And an NT4 style domain is pretty simple - it's like a workgroup with centralised user accounts.

GL & HF