AIX Open Source

Hi, I am configuring (trying to ...) a standalone Samba server on AIX 7.2 for a shared folder with NFS4 ACL.

To me it looks like Samba does not honor any explicit user or group entries in the ACL. For example, with this ACL:

s:(OWNER@):     a       rwpRWxDaAdcCs   fidi
s:(OWNER@):     d       o       fidi
s:(GROUP@):     a       rwpRWxDadcs     fidi
s:(GROUP@):     d       ACo     fidi
g:sapusers:     a       rwpRWxDadcs     fidi
g:sapusers:     d       ACo     fidi
s:(EVERYONE@):  a       rRxadcs
s:(EVERYONE@):  d       wpWDACo

When I now map a drive to this directory as a user that is in the sapusers group, I cannot create any file or subdirectory but can see existing content. Just like what the EVERYONE can do. The same happens even if there is an explicit entry (with same write access) for my user.

If I give "wp" to the EVERYONE (like in the entry for sapusers), then I can create files/subdirectories. If I then create something with my user via Samba, then the created file or subdirectory does have my user and primary group as the owner/group. So Samba does properly identiy/impersonate me. But it does not match my name (and group membership) to explicit ACL entries.

When I access the same directory as the same user with WinSCP, then the ACL works as expected and I can create files/subdirectories.

Is that a known bug or limitation in Samba?

------------------------------
Kai-Uwe Rommel
------------------------------

Hi

my christal ball tells me that the group membership that you mention is just a POSIX group membership but not a samba group membership. In other words, a samba groupmapping is missing, "net groupmap add ...".  If this would be a domain setup and depending on how your idmapping wold look like and whether or not the user is a local user or a domain user, the answer might be more complex then :-)

------------------------------
--
Samba Support: https://samba.plus
SAMBA+ for AIX: https://samba.plus/samba-aix
phone: +1 415 248-7818
mailto:samba@sernet.de

Original Message:
Sent: Tue February 28, 2023 11:15 AM
From: Kai-Uwe Rommel
Subject: Samba does not honor explicit user/group entries in NFS4 ACLs?

Hi, I am configuring (trying to ...) a standalone Samba server on AIX 7.2 for a shared folder with NFS4 ACL.

To me it looks like Samba does not honor any explicit user or group entries in the ACL. For example, with this ACL:

s:(OWNER@):     a       rwpRWxDaAdcCs   fidi
s:(OWNER@):     d       o       fidi
s:(GROUP@):     a       rwpRWxDadcs     fidi
s:(GROUP@):     d       ACo     fidi
g:sapusers:     a       rwpRWxDadcs     fidi
g:sapusers:     d       ACo     fidi
s:(EVERYONE@):  a       rRxadcs
s:(EVERYONE@):  d       wpWDACo

When I now map a drive to this directory as a user that is in the sapusers group, I cannot create any file or subdirectory but can see existing content. Just like what the EVERYONE can do. The same happens even if there is an explicit entry (with same write access) for my user.

If I give "wp" to the EVERYONE (like in the entry for sapusers), then I can create files/subdirectories. If I then create something with my user via Samba, then the created file or subdirectory does have my user and primary group as the owner/group. So Samba does properly identiy/impersonate me. But it does not match my name (and group membership) to explicit ACL entries.

When I access the same directory as the same user with WinSCP, then the ACL works as expected and I can create files/subdirectories.

Is that a known bug or limitation in Samba?

------------------------------
Kai-Uwe Rommel
------------------------------

Thanks, good point. Yes, the sapusers group in the sample and the user account I use are just "local Unix" e.g. POSIX group/user accounts. The Samba server is standalone, no AD integration. Somehow Samba does already recognize my user and objects created are properly owned by my user ID. But I don't see yet how I can use "net groupmap" to solve the problem. As far as I can see right now it is meant to map a Samba group (SID) onto a POSIX group.I tried to create a groupmapping but it does not help. Could you perhaps sketch out a bit how I would approach the problem with net group/groupmap?

BTW, as I also wrote, the problem is not only with groups. Even if I add an ACL entry directly for my (Unix) user name, Samba does not recognize/use ist. All that it applies to my user/connection is the EVERYONE ACL entry ...

------------------------------
Kai-Uwe Rommel

Original Message:
Sent: Wed March 01, 2023 01:55 AM
From: Samba Support SerNet
Subject: Samba does not honor explicit user/group entries in NFS4 ACLs?

Hi

my christal ball tells me that the group membership that you mention is just a POSIX group membership but not a samba group membership. In other words, a samba groupmapping is missing, "net groupmap add ...".  If this would be a domain setup and depending on how your idmapping wold look like and whether or not the user is a local user or a domain user, the answer might be more complex then :-)

------------------------------
--
Samba Support: https://samba.plus
SAMBA+ for AIX: https://samba.plus/samba-aix
phone: +1 415 248-7818
mailto:samba@sernet.de

Original Message:
Sent: Tue February 28, 2023 11:15 AM
From: Kai-Uwe Rommel
Subject: Samba does not honor explicit user/group entries in NFS4 ACLs?

Hi, I am configuring (trying to ...) a standalone Samba server on AIX 7.2 for a shared folder with NFS4 ACL.

To me it looks like Samba does not honor any explicit user or group entries in the ACL. For example, with this ACL:

s:(OWNER@):     a       rwpRWxDaAdcCs   fidi
s:(OWNER@):     d       o       fidi
s:(GROUP@):     a       rwpRWxDadcs     fidi
s:(GROUP@):     d       ACo     fidi
g:sapusers:     a       rwpRWxDadcs     fidi
g:sapusers:     d       ACo     fidi
s:(EVERYONE@):  a       rRxadcs
s:(EVERYONE@):  d       wpWDACo

When I now map a drive to this directory as a user that is in the sapusers group, I cannot create any file or subdirectory but can see existing content. Just like what the EVERYONE can do. The same happens even if there is an explicit entry (with same write access) for my user.

If I give "wp" to the EVERYONE (like in the entry for sapusers), then I can create files/subdirectories. If I then create something with my user via Samba, then the created file or subdirectory does have my user and primary group as the owner/group. So Samba does properly identiy/impersonate me. But it does not match my name (and group membership) to explicit ACL entries.

When I access the same directory as the same user with WinSCP, then the ACL works as expected and I can create files/subdirectories.

Is that a known bug or limitation in Samba?

------------------------------
Kai-Uwe Rommel
------------------------------

No further response here and no response elsewhere (and almost no options where else to ask) I assume there is no solution for what I was looking for.

We will for the desired purpose now probably abandon Samba and move the users to WinSCP (that works with NFS4 ACLs).

------------------------------
Kai-Uwe Rommel

Original Message:
Sent: Thu March 02, 2023 06:40 AM
From: Kai-Uwe Rommel
Subject: Samba does not honor explicit user/group entries in NFS4 ACLs?

Thanks, good point. Yes, the sapusers group in the sample and the user account I use are just "local Unix" e.g. POSIX group/user accounts. The Samba server is standalone, no AD integration. Somehow Samba does already recognize my user and objects created are properly owned by my user ID. But I don't see yet how I can use "net groupmap" to solve the problem. As far as I can see right now it is meant to map a Samba group (SID) onto a POSIX group.I tried to create a groupmapping but it does not help. Could you perhaps sketch out a bit how I would approach the problem with net group/groupmap?

BTW, as I also wrote, the problem is not only with groups. Even if I add an ACL entry directly for my (Unix) user name, Samba does not recognize/use ist. All that it applies to my user/connection is the EVERYONE ACL entry ...

------------------------------
Kai-Uwe Rommel

Original Message:
Sent: Wed March 01, 2023 01:55 AM
From: Samba Support SerNet
Subject: Samba does not honor explicit user/group entries in NFS4 ACLs?

Hi

my christal ball tells me that the group membership that you mention is just a POSIX group membership but not a samba group membership. In other words, a samba groupmapping is missing, "net groupmap add ...".  If this would be a domain setup and depending on how your idmapping wold look like and whether or not the user is a local user or a domain user, the answer might be more complex then :-)

------------------------------
--
Samba Support: https://samba.plus
SAMBA+ for AIX: https://samba.plus/samba-aix
phone: +1 415 248-7818
mailto:samba@sernet.de

Original Message:
Sent: Tue February 28, 2023 11:15 AM
From: Kai-Uwe Rommel
Subject: Samba does not honor explicit user/group entries in NFS4 ACLs?

Hi, I am configuring (trying to ...) a standalone Samba server on AIX 7.2 for a shared folder with NFS4 ACL.

To me it looks like Samba does not honor any explicit user or group entries in the ACL. For example, with this ACL:

s:(OWNER@):     a       rwpRWxDaAdcCs   fidi
s:(OWNER@):     d       o       fidi
s:(GROUP@):     a       rwpRWxDadcs     fidi
s:(GROUP@):     d       ACo     fidi
g:sapusers:     a       rwpRWxDadcs     fidi
g:sapusers:     d       ACo     fidi
s:(EVERYONE@):  a       rRxadcs
s:(EVERYONE@):  d       wpWDACo

When I now map a drive to this directory as a user that is in the sapusers group, I cannot create any file or subdirectory but can see existing content. Just like what the EVERYONE can do. The same happens even if there is an explicit entry (with same write access) for my user.

If I give "wp" to the EVERYONE (like in the entry for sapusers), then I can create files/subdirectories. If I then create something with my user via Samba, then the created file or subdirectory does have my user and primary group as the owner/group. So Samba does properly identiy/impersonate me. But it does not match my name (and group membership) to explicit ACL entries.

When I access the same directory as the same user with WinSCP, then the ACL works as expected and I can create files/subdirectories.

Is that a known bug or limitation in Samba?

------------------------------
Kai-Uwe Rommel
------------------------------