[opensuse] Searching a tool for Samba ACL management
I have to manage some projects and work groups on a openSUSE Samba server. The project members are changing from project to project. Minimal permissions are required, because of the "need to know" principle, established during an external auditing process. I often have the task to setup permissions like this for a project folder. * a group A with write access * an additional user B with write access * a user C with read access * new files and directories should get the same permissions as existing files/directories * sub-directories sometimes have more, less or other permissions * optional, but may be required in future: reporting of all permissions (for the auditing) It is clear, that I need ACLs on the Samba server to fulfill the requirements. On average I have to change permissions of around one project folder (with many sub-folders and files) a day. In most situations the project folders are in use. The Samba server and my desktop PC run on openSUSE. The project members run Windows 10, but do know nothing about Windows/Samba ACLs. Which tool is best suited for the task to setup (and optional report) Samba/Windows ACLs? I already tested some tools and methods: 1. chown, chgrp and chmod only possible directly on the server; not capable of ACLs another than Unix standard (owner, group and others) 2. chown, chgrp, chmod, setfacl and getfacl (my current method) works, but takes some time on usage; difficult; only possible directly on the server; can be scripted, if the tasks are comparable; not very fail-safe (of course because of usage errors) 3. smbcacls works, but is slow; difficult; needs a login for each execution; no recursion 4. Windows file properties dialog, security tab works, but I have to start a Windows VM extra for this task; no reporting 5. Cacls (Windows) works, but I have to start a Windows VM extra for this task; difficult 6. Winacl (FreeNAS) Only for Samba servers on FreeNAS; only possible directly on the server 7. Local administration (mounted CIFS share) with "multiuser" mount option even with the "multiuser" mount option owners, groups, permissions and ACLs of the original files/directories on the server are hidden on the client Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op woensdag 5 september 2018 17:54:39 CEST schreef Bjoern Voigt:
I have to manage some projects and work groups on a openSUSE Samba server. The project members are changing from project to project. Minimal permissions are required, because of the "need to know" principle, established during an external auditing process.
I often have the task to setup permissions like this for a project folder.
* a group A with write access * an additional user B with write access * a user C with read access * new files and directories should get the same permissions as existing files/directories * sub-directories sometimes have more, less or other permissions * optional, but may be required in future: reporting of all permissions (for the auditing)
It is clear, that I need ACLs on the Samba server to fulfill the requirements. On average I have to change permissions of around one project folder (with many sub-folders and files) a day. In most situations the project folders are in use. The Samba server and my desktop PC run on openSUSE. The project members run Windows 10, but do know nothing about Windows/Samba ACLs.
Which tool is best suited for the task to setup (and optional report) Samba/Windows ACLs?
I already tested some tools and methods:
1. chown, chgrp and chmod only possible directly on the server; not capable of ACLs another than Unix standard (owner, group and others) 2. chown, chgrp, chmod, setfacl and getfacl (my current method) works, but takes some time on usage; difficult; only possible directly on the server; can be scripted, if the tasks are comparable; not very fail-safe (of course because of usage errors) 3. smbcacls works, but is slow; difficult; needs a login for each execution; no recursion 4. Windows file properties dialog, security tab works, but I have to start a Windows VM extra for this task; no reporting 5. Cacls (Windows) works, but I have to start a Windows VM extra for this task; difficult 6. Winacl (FreeNAS) Only for Samba servers on FreeNAS; only possible directly on the server 7. Local administration (mounted CIFS share) with "multiuser" mount option even with the "multiuser" mount option owners, groups, permissions and ACLs of the original files/directories on the server are hidden on the client
Greetings, Björn I'd suggest you dive in to saltstack. A bit of a learning curve, but it should serve your needs, i.e. make the job, once designed within saltstack, easier
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Knurpht-openSUSE wrote:
I'd suggest you dive in to saltstack. A bit of a learning curve, but it should serve your needs, i.e. make the job, once designed within saltstack, easier Thanks. The idea is interesting to use a configuration management tool to maintain data filesystem permissions.
I am not sure, if such a strategy helps to speed-up the ACL maintenance, probably not, but it can solve the reporting and auditing problem. Does Saltstack have any features, which makes it better suited for ACL/permission management compared to tools like Ansible, Puppet or Chef? Because I do not know Saltstack, but Ansible at a beginner level, I did some tests with Ansible: * there are two file ACL management modules in Ansible: acl (POSIX ACLs) and win_acl (Windows ACLs) * "acl" runs fine on the Samba server * "win_acl" seems not to work on Samba servers, only on Windows (client) computers * POSIX ACLs and Windows ACLs differ in details * "acl" can create, remove or update ACL entries, but currently it has no option to remove all existing ACL entries * Ansible playbooks for some folders are smaller then "getfacl" recursive dumps, because the "getfacl" dumps list every file and subdirectory If I use this strategy, I have to solve the problem, that users with write access can chance ACLs manually from the Windows client. Ansible playbooks which contain all main directories will provide a mixture of ACLs from Ansible and from users. After patching the Ansible "acl" Python module, so that it can remove all existing ACLs (setfacl --remove-all), half of the problem can be solved. https://docs.ansible.com/ansible/2.6/modules/acl_module.html https://docs.ansible.com/ansible/2.6/modules/win_acl_module.html Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Bjoern Voigt -
Knurpht-openSUSE