[RndTbl] weird samba ACLs from MS Office
Trevor Cordes
trevor at tecnopolis.ca
Mon Jan 9 20:05:28 CST 2023
On 2023-01-08 Adam Thompson wrote:
>
> As to setfacl... I'd use icron(8) to do that instantly instead of in
> a batch process. Neutering ACLs on the share would be far more
> efficient if that's your concern.
I'll look into icron, interesting idea... still kludgy, but
instant-kludge instead of nightly kludge.
> There's bad news here:
> https://serverfault.com/questions/828977/how-can-i-stop-samba-from-writing-extended-acls.
Ugh, so much for that idea.
> Alternatively, if you could find a way to run the backup process with
> CAP_FOWNER and/or CAP_DAC_OVERRIDE and/or CAP_DAC_READ_SEARCH that
> might work around the entire problem. Do the backups run *through*
> Samba, or locally some other way? If locally see capsh(1). (I'm
> unclear whether setcap(8) works like chown -S or what it does,
> really. But capsh should work.)
The Windows boxes use the linux samba server/share as the main file
share. Linux then later backs up the linux directory that is/was the
share.
Anyhow, I started playing with it more and it *may* have just been the
program accessing the data that was barfing at the ACLs (rdiff-backup).
I updated to a newer rdiff-backup and now I can't reproduce the problem
with a simple test case. It's backup up the ACL'd files just fine.
Weird. I'm running the entire backups again to see if the non-simple
test case barfs again, but it will take a few hours.
Outside the rdiff-backup stuff, I'm doing a simple read test:
sudo -u netbak file 22-094U.csv
and it seems to work fine. I could swear reads as the netbak user were
denied before, but my earlier tests of that have scrolled off the
terminal buffer.
If rdiff plays nice now, I'm happy to just leave the useless Office
ACLs as-is and pretend they don't exist. Sounds like fighting with it
is Quixotic. If it still causes problems, perhaps the caps are the way
to go, I'm pretty sure I could make that work, if they can actually
override the ACL blockage. icron as a last resort.
Thanks for the tips. I'm especially happy (well, unhappy) to see the
definitive answer in the serverfault article. My google-fu didn't
reach that nugget (sigh).
More information about the Roundtable
mailing list