Samba – How to configure SAMBA file server to be a windows look-alike

access-control-listfile-permissionsfile-sharingnetwork-sharesamba

I'm using an openfiler appliance in an Active Directory (W2k8R2 DC) environment. I would like to make my shares as quite as possible look like windows shares for my users. Most things work well but some just drive me crazy. ATM my biggest problem is to make the ACLs as seen by windows clients clear:

Windows ACL Editor
Windows ACL Editor

As you see, there are entries for Everyone, nobody, CREATOR OWNER and CREATOR GROUP. I know all these entries are mapped from my POSIX ACLs like owner:group:other. For most windows users it's just confusing, especially Everyone freaks some people out, as they think everyone has access. How could I achieve to get rid of these entries and just have:

  • G-PM-PMFS01-ADM => Full Access
  • L-PM-PMFS01-DEPOT-C => Change/Modify
  • L-PM-PMFS01-DEPOT-R => Read only

L-PM-PMFS01-DEPOT-R is atm the only group that is completly right. G-PM-PMFS01-ADM is listed with special but it has full access because it's the "primary group" in POSIX. L-PM-PMFS01-DEPOT-C is listed with full access because it got rwx on POSIX. I tried to change acl map full control but got no different results setting it to false.

So my question is, what should I set in my smb.conf to make an almost 100% windows look(and feel)-a-like file server with samba?

I know this is somehow possible on commercial products from EMC or NetApp so I think there should be a way.

current share part of smb.conf

[depot]
    comment = depot
    path = /mnt/vg1/v001/depot
    read only = no
    writeable = yes
    oplocks = yes
    level2 oplocks = yes
    force security mode = 0
    dos filemode = yes
    dos filetime resolution = yes
    dos filetimes = yes
    fake directory create times = yes
    browseable = yes
    csc policy = manual
    veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
    veto files = /*:Zone.Identifier:*/
    create mode = 0770
    directory mode = 2770
    printable = no
    guest ok = no
    hosts allow =  172.16.10.0/24 172.16.30.0/24 172.16.10.0/24
    hosts readonly allow =
    store dos attributes = yes
    map acl inherit = yes
    inherit acls = yes
    inherit owner = yes
    inherit permissions = yes

current getfacl:

# file: mnt/vg1/v001/depot/
# owner: nobody
# group: g-pm-pmfs01-adm
# flags: -s-
user::rwx
group::rwx
group:l-pm-pmfs01-depot-c:rwx
group:l-pm-pmfs01-depot-r:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:l-pm-pmfs01-depot-c:rwx
default:group:l-pm-pmfs01-depot-r:r-x
default:mask::rwx
default:other::---

Best Answer

The Problem

You are using POSIX ACL mappings for Samba's ACL handling. This is the default behavior (and has been for a very long time now), but if you want Windows-like ACL experience, this is Doing It Wrong since POSIX ACLs are missing a number of concepts and rights of NTFS ACLs so the mapping will always remain incomplete and "feel wrong".

The Solution

What you are looking for, is vfs_acl_xattr. This is a method of storing feature-complete NTFS ACLs in extended attributes instead of trying to map them into POSIX ACLs.

The downside is that the corresponding xattr is only evaluated by Samba, so interoperability is suffering - ACLs set through Samba are no longer in sync with what your Linux host would see (and possibly expose through other means like NFS) and vice versa - manipulating Linux ACLs would not modify NTFS ACLs.

The Codez

[global]
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

The Further Reading

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Related Topic