I'm using an openfiler appliance in an Active Directory (W2k8R2 DC) environment. I would like to make my shares as quite as possible look like windows shares for my users. Most things work well but some just drive me crazy. ATM my biggest problem is to make the ACLs as seen by windows clients clear:
Windows ACL Editor
As you see, there are entries for Everyone, nobody, CREATOR OWNER and CREATOR GROUP. I know all these entries are mapped from my POSIX ACLs like owner:group:other. For most windows users it's just confusing, especially Everyone freaks some people out, as they think everyone has access. How could I achieve to get rid of these entries and just have:
- G-PM-PMFS01-ADM => Full Access
- L-PM-PMFS01-DEPOT-C => Change/Modify
- L-PM-PMFS01-DEPOT-R => Read only
L-PM-PMFS01-DEPOT-R is atm the only group that is completly right. G-PM-PMFS01-ADM is listed with special but it has full access because it's the "primary group" in POSIX. L-PM-PMFS01-DEPOT-C is listed with full access because it got rwx on POSIX. I tried to change acl map full control
but got no different results setting it to false
.
So my question is, what should I set in my smb.conf to make an almost 100% windows look(and feel)-a-like file server with samba?
I know this is somehow possible on commercial products from EMC or NetApp so I think there should be a way.
current share part of smb.conf
[depot]
comment = depot
path = /mnt/vg1/v001/depot
read only = no
writeable = yes
oplocks = yes
level2 oplocks = yes
force security mode = 0
dos filemode = yes
dos filetime resolution = yes
dos filetimes = yes
fake directory create times = yes
browseable = yes
csc policy = manual
veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
veto files = /*:Zone.Identifier:*/
create mode = 0770
directory mode = 2770
printable = no
guest ok = no
hosts allow = 172.16.10.0/24 172.16.30.0/24 172.16.10.0/24
hosts readonly allow =
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
current getfacl:
# file: mnt/vg1/v001/depot/
# owner: nobody
# group: g-pm-pmfs01-adm
# flags: -s-
user::rwx
group::rwx
group:l-pm-pmfs01-depot-c:rwx
group:l-pm-pmfs01-depot-r:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:l-pm-pmfs01-depot-c:rwx
default:group:l-pm-pmfs01-depot-r:r-x
default:mask::rwx
default:other::---
Best Answer
The Problem
You are using POSIX ACL mappings for Samba's ACL handling. This is the default behavior (and has been for a very long time now), but if you want Windows-like ACL experience, this is Doing It Wrong since POSIX ACLs are missing a number of concepts and rights of NTFS ACLs so the mapping will always remain incomplete and "feel wrong".
The Solution
What you are looking for, is vfs_acl_xattr. This is a method of storing feature-complete NTFS ACLs in extended attributes instead of trying to map them into POSIX ACLs.
The downside is that the corresponding xattr is only evaluated by Samba, so interoperability is suffering - ACLs set through Samba are no longer in sync with what your Linux host would see (and possibly expose through other means like NFS) and vice versa - manipulating Linux ACLs would not modify NTFS ACLs.
The Codez
The Further Reading
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs