Author Topic: Samba and managing ACL  (Read 4626 times)

bufke

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +1/-0
    • View Profile
Samba and managing ACL
« on: October 04, 2013, 05:18:41 pm »
Hello,

I see on Zentyal 3.2 this change:
Ignore system ACLs for samba shares, use libsamba-perl library instead.

Are system level ACLs not supported at all now? Is there some new method to micromanage permissions? The Zentyal gui does not appear capable of micromanaging sub directory permissions.

I see there is still in /etc/zentyal/samba.conf
unmanaged_acls = yes
To me, this implies it's OK to set the ACLs manually and in 3.0 this worked fine.

I might suggest adding this ACL change to the release notes. This could really cause disruption for someone upgrading from 3.0 and unaware.

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
Re: Samba and managing ACL
« Reply #1 on: October 04, 2013, 05:50:15 pm »
I can confirm that there is absolutely no backwards compatibility in terms of Samba shares when upgrading from Zentyal 3.0 to 3.2.

I can't believe they'd release this without thoroughly testing the upgradeablity from "Zentyal 3.0 samba shares" to "Zentyal 3.2 samba shares" first. I consider this a core service.

At the moment, you have to recreate all shares, and currently samba group permissions do not work; if you want a particular grouping of say 100 users to have a certain access to a share, you must set each user's permissions individually (for all 100 users). Here's a related bug report:

http://trac.zentyal.org/ticket/7382

I'm sure they're working hard to fix these issues, but be aware of its current state.

« Last Edit: October 04, 2013, 08:39:54 pm by Lonniebiz »

spiral

  • Zen Monk
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: Samba and managing ACL
« Reply #2 on: October 04, 2013, 07:31:25 pm »
I did notice that Zentyal 3.2 did boot faster in relation to this.  Because of unmanaged_acls option in 3.0 it would take 10+ minutes for Zentyal to boot, because it was reapplying permissions on many thousands of files on the network share.  But my permissions were not defined separately on sub directories, they all inherited parent permissions, so I guess it is a plus for me, but agreed, there should have been something mentioning this....

bufke

  • Zen Apprentice
  • *
  • Posts: 14
  • Karma: +1/-0
    • View Profile
Re: Samba and managing ACL
« Reply #3 on: October 04, 2013, 09:49:27 pm »

jnm

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Samba and managing ACL
« Reply #4 on: October 04, 2013, 09:55:37 pm »
Maybe unmanaged_acls still prevents the GUI settings from overwriting subdirectory permissions, but now all custom ACLs must be configured with smbcacls or the Security tab of the Properties dialog box on a Windows client?

@spiral, I see that there was an additional fix to "Only set share permissions when there is really a permission change instead of doing it on every samba restart", so we should be able to still set subdirectory permissions and not have the server take ten minutes to boot.

spiral

  • Zen Monk
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: Samba and managing ACL
« Reply #5 on: October 05, 2013, 08:52:49 pm »
Thanks for the heads up, I need to pay closer attention to github for Zentyal I think.