Make Samba file server ACLs act more like a Windows file server

[Brazen]

using Samba 3.0.10-1.4E.9 (the latest in the CentOS repos)

here is the mount options for the shared partition:

/dev/sdb1 on /export type ext3 (rw,acl,user_xattr)

and here is my smb.conf:

[global]

realm = DOMAIN
workgroup = DOMAIN
security = ADS
encrypt passwords = yes

winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#map acl inherit = yes

[test]
comment = Testing shared directory
read only = no
path = /export/testshare
user = @"DOMAIN+domain users"
admin users = DOMAIN\Domain Admins

Now everything works, but when viewing security info on folders and files from the Windows client, things look a little messy. There are three entries that can not be removed for Owner/Group/Everyone, even if they are removed, they come back with blank permissions as soon as the Apply button is hit. It would be nice if these just didn't show up.

So basically, I just want it to appear more Windows-like (not so much for me, but to keep the other techs from getting confused, and they are easily confused). Is there anything else that people would suggest: changing ext3 options? changing the file system altogether? changing Samba options? Anything to make our file serving experience that much more pleasant Particularly, would there be any compelling reason to go outside the yum repos and get the latest version of Samba (3.0.23c)?

 

[Brazen]

I think I may be able to hide the owner/group/everyone acls with some of the *mask options? such as "create mask" "directory mask" or "directory security mask". I'm not really sure though. I'm still reading and will have to play aroung with these.

I also think I'm going to enable the "store dos attributes" and (required for this) then disable the "map hidden", "map system", and "map archive" options.

 

[Brazen]

Well, I figured if anyone new how to set up a samba share that worked seemlessly with Windows, it would be the folks over at OpenFiler. So I set up an OpenFiler server and threw down a shared folder. I connected to the share from Windows, created a folder and a file, and played around with the permissions... to my dismay, they acted just like the permissions on my CentOS file server. The standard Unix ACL triplet kept coming back. Not that anyboday cares, apparently.

 

[drag]

Well I don't think it's that.

It's probably nobody realy knows here. If you can't get a good answer it's probably time to look at a more authoritative source.

Options:
The SAMBA manual is quite exauhstive. I am sure that there is a big section on ACLs
CentOS forums. I am sure that there are plenty of people with similar problems there.
SAMBA mailing list.
unixsamba usenet group or just use group.google.com http://groups.google.com/groups?q=group%3Amailing.unix.samba*
#samba irc channel.

Personally I would like to help, but I just don't know much about Samba besides a simple setup for sharing out media files.

 

[Brazen]

heh, yeah I was just kinda having dialog with myself and for the benefit of anyone else who comes browsing through here with the same question.

I've found a couple messages in the Samba mailing list archives asking the same question, with no responses. I would think it would be easy to implement in the code, just have Samba "hide" the OGU permissions from the client if any of those permissions are 0.

I might try searching around, or posting on some linux forums. That's a good idea that I've overlooked. I think I'm going to also try manually installing the latest version from the Samba website and see if the behavior changes.

Oh yeah, and yes, I've read the Samba manual. I've read and re-read the sections concerning ACLs, and either I'm missing something, or it's not there. Really, I'm thinking it can't be done, but tomorrow I will look just a tad bit more.

 

[cleverhandle]

It's been a long time (i.e. 2-3 years) since I used Samba ACL's. I remember some of the same issues that you describe, but I don't remember seeing any solutions either.