Project

General

Profile

Scénario #31925

Adaptation smb.conf

Added by Gilles Grandgérard 7 months ago. Updated 4 months ago.

Status:
Terminé (Sprint)
Priority:
Normal
Assigned To:
Category:
-
Start date:
04/06/2021
Due date:
04/23/2021
% Done:

100%

Story points:
1.0
Remaining (hours):
0.00 hour
Velocity based estimate:
Release:
Release relationship:
Auto

Description

Ajouter au template pour désactiver les ACL system:

acl_xattr:ignore system acl = yes

Voir note samba Wiki cf. https://wiki.samba.org/index.php?title=Setting_up_a_Share_Using_Windows_ACLs&type=revision&diff=17345&oldid=17307

À faire


Subtasks

Tâche #32029: Ajouter la configuration dans le templateNe sera pas résoluLudwig Seys


Related issues

Related to Distribution EOLE - Tâche #32076: Valider le scénario Adaptation smb.conf (sprint 14-16) Fermé 04/08/2021
Blocked by EOLE AD DC - Tâche #32207: Décider si on active les ACLs en mode Windows Fermé 05/06/2021

History

#1 Updated by Gilles Grandgérard 6 months ago

  • Due date set to 04/23/2021
  • Target version set to Prestation Cadoles MEN 2021 14-16
  • Start date set to 04/06/2021
  • Story points set to 1.0

#2 Updated by Emmanuel GARETTE 6 months ago

  • Assigned To set to Philippe Caseiro

#3 Updated by Joël Cuissinat 6 months ago

  • Description updated (diff)

#4 Updated by Joël Cuissinat 6 months ago

  • Related to Tâche #32076: Valider le scénario Adaptation smb.conf (sprint 14-16) added

#5 Updated by Emmanuel GARETTE 5 months ago

  • Status changed from Nouveau to En cours
  • Assigned To changed from Philippe Caseiro to Ludwig Seys

#6 Updated by Ludwig Seys 5 months ago

  • Due date deleted (04/23/2021)
  • Target version deleted (Prestation Cadoles MEN 2021 14-16)
  • Start date deleted (04/06/2021)
  • Release deleted (EOLE 2.8.1)

Plusieurs points sont à relever :

- la proposition de modification est mal orthographié, il manque le "s" à acls pour correspondre à ce qui est dans le manpage :
Soit => acl_xattr:ignore system acls = yes

- il est nécessaire d'ajouter une ligne supplémentaire pour ne pas prendre en compte les ACL des utilisateurs systèmes :
acl_xattr:default acl style = windows

cf : https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html

acl_xattr:default acl style = [posix|windows|everyone]

    This parameter determines the type of ACL that is synthesized in case a file or directory lacks an security.NTACL xattr.

    When set to posix, an ACL will be synthesized based on the POSIX mode permissions for user, group and others, with an additional ACE for NT Authority\SYSTEM will full rights.

    When set to windows, an ACL is synthesized the same way Windows does it, only including permissions for the owner and NT Authority\SYSTEM.

    When set to everyone, an ACL is synthesized giving full permissions to everyone (S-1-1-0).

    The default for this option is posix. 

- la mise en place ces deux solutions pose un soucis pour les partage hormis [homes] & [profiles] par le changement de deux valeurs :

create mask = 0664 devient 0666
directory mask = 0775 devient 0777

en effet comme indiqué dans le man ci-dessous ces valeurs seront changées de force, dans notre cas cela rentre en conflit avec les partage de groupes comme indiqué au dessus :

acl_xattr:ignore system acls = [yes|no]
           When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module. The default is no, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs. This is
           better if you need your system ACLs be set for local or NFS file access, too. If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility.

           If acl_xattr:ignore system acls is set to yes, the following additional settings will be enforced:

                  •   create mask = 0666

                  •   directory mask = 0777

                  •   map archive = no

                  •   map hidden = no

                  •   map readonly = no

                  •   map system = no

                  •   store dos attributes = yes

       acl_xattr:default acl style = [posix|windows|everyone]
           This parameter determines the type of ACL that is synthesized in case a file or directory lacks an security.NTACL xattr.

           When set to posix, an ACL will be synthesized based on the POSIX mode permissions for user, group and others, with an additional ACE for NT Authority\SYSTEM will full rights.

           When set to windows, an ACL is synthesized the same way Windows does it, only including permissions for the owner and NT Authority\SYSTEM.

           When set to everyone, an ACL is synthesized giving full permissions to everyone (S-1-1-0).

           The default for this option is posix.

Comme indiqué dans la man, il ne faut ensuite accéder au fichier que depuis Samba, ce qui n'est aujourd'hui pas le cas (des scripts positionnent des fichiers sans passer par Samba et il existe des accès FTP).

- De façon simple pour activer cette option et ne voir que l'utilisateur en cours via le panneau propriété => sécurité, il faut ajouter pour chaque partage les deux lignes sus-mentionné, dans le fichier de génération des partages soit smb-ad.conf :
exemple

[homes]
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = windows
xxxx
xxxx
xxxx
xxxx

[profiles]
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = windows
xxxx
xxxx

#7 Updated by Emmanuel GARETTE 5 months ago

  • Due date set to 04/23/2021
  • Target version set to Prestation Cadoles MEN 2021 14-16
  • Start date set to 04/06/2021
  • Release set to EOLE 2.8.1

#8 Updated by Gilles Grandgérard 4 months ago

  • Status changed from En cours to Terminé (Sprint)

Also available in: Atom PDF