euh, przk, klmn, que?
I know my way around Linux, and have some basic Windows-knowledge. Can you please explain what I have to do exactly?
I have 2 W10 home-edition laptops, with local accounts. I only use samba to serve them some shared folders (family-pics). Does that suit the requirements for your question?
Loading the libwbclient library from sssd (instead of the one from Samba) fixes the ACLs management but (as the RHEL7 docs says) breaks the NTLM and NetBIOS support. Only kerberos auth works with it.
The workaround to Rolf’s problem is reverting the bugfix#5142 effects with the following commands:
After these commands, ACLs can’t be set from Windows Pro workstations.
To show the current settings
alternatives --display libwbclient.so.0.12-64
Now that we’re aware of this limitation we must decide what to do. I see the following alternatives
drop sssd libraries for samba and configure winbind
turn this bug into a feature! Implement a switch in server-manager to choose what scenario NethServer must support: a) an AD domain where all clients are Kerberos clients (Win Pro), with full ACLs support, b) an AD domain with mixed clients (Home/Pro, NTLM/Kerberos) with the limitation on ACLs
The solution 1 is a big revolution in our configuration and I’d prefer not considering it.
The solution 2 is actually let the sysadmin to choose between living with the limitation on ACLs to support legacy clients, or support only Win Pro and fully leverage the upstream solution based on sssd.
Thank you very much for the investigation and this workaround! Is that workaround ‘upgrade-proof’? Or should I monitor if there’s an upgrade to this file and the re-apply?
As for the choice of structural solution: I have no clue
What I can say, is that to my opinion the windows-integration is hard to understand, and not always well-documented. If a new radio-button is introduces, please make sure the online-help is clear to all win-no’s as me.
Yes it’s the alternatives mission. It sets symbolic links in a way consistent with RPMs. Once an alternative is set by the admin, it is not changed by the system, AFAIK.
I’d go with legacy support enabled by default. It seems the safest default, and would work in your case. If NTLM is not necessary and full ACLs control from windows clients is wanted, it can be enabled from the UI.
I want to point out that ACLs in “legacy” mode can be set from the Shared folder > ACL tab. I checked them out, they work.
Great, thanks for the effort and quick responses!
When I understand correctly, none of the actions performed by me (as described in the first post of this threat) was the trigger for not-functioning? Yet the upgrade of some packages was?
What exactly are those ACL limitations? As far as I remember, I’ve been able to specify per-user read/write flags for a directory in Samba, and for example this is quite sufficient for me, while gaining support for both Win Pro member clients and other clients.
A nethserver-samba testing package is available. It reverts the effects of the last 2.0.2 release, and restores the default wbclient library from the Samba project.
This means that by default, NTLM auth is still supported, but ACLs can’t be changed from domain workstations /cc @saitobenkei
To enable the support to ACLs from domain workstation (but disable NTLM authentication):