Knurpht-openSUSE wrote:
I'd suggest you dive in to saltstack. A bit of a learning curve, but it should serve your needs, i.e. make the job, once designed within saltstack, easier Thanks. The idea is interesting to use a configuration management tool to maintain data filesystem permissions.
I am not sure, if such a strategy helps to speed-up the ACL maintenance, probably not, but it can solve the reporting and auditing problem. Does Saltstack have any features, which makes it better suited for ACL/permission management compared to tools like Ansible, Puppet or Chef? Because I do not know Saltstack, but Ansible at a beginner level, I did some tests with Ansible: * there are two file ACL management modules in Ansible: acl (POSIX ACLs) and win_acl (Windows ACLs) * "acl" runs fine on the Samba server * "win_acl" seems not to work on Samba servers, only on Windows (client) computers * POSIX ACLs and Windows ACLs differ in details * "acl" can create, remove or update ACL entries, but currently it has no option to remove all existing ACL entries * Ansible playbooks for some folders are smaller then "getfacl" recursive dumps, because the "getfacl" dumps list every file and subdirectory If I use this strategy, I have to solve the problem, that users with write access can chance ACLs manually from the Windows client. Ansible playbooks which contain all main directories will provide a mixture of ACLs from Ansible and from users. After patching the Ansible "acl" Python module, so that it can remove all existing ACLs (setfacl --remove-all), half of the problem can be solved. https://docs.ansible.com/ansible/2.6/modules/acl_module.html https://docs.ansible.com/ansible/2.6/modules/win_acl_module.html Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org