# Cifs and ACLs

## hydrian

For some reason when I mount my samba shares with cifs I am not getting the ACL information.  I can only see standard Owner/Goup/Everybody information. 

Both the client and server are samba packages are compiled with the 'ACL' USE flag.  

Output of mount

```
//brigid.tygerclan.net/windows on /home/hydrian/mnt/Windows type cifs (rw,mand,nosuid,nodev,user=hydrian)
```

Kernel info 

```

<M> CIFS support 

    [ ]   CIFS statistics

    [ ]   Support legacy servers which use weaker LANMAN security

    [*]   CIFS extended attributes 

    [*]     CIFS POSIX Extensions

    [ ]   Enable additional CIFS debugging routines

    [ ]   CIFS Experimental Features (EXPERIMENTAL)

```

Example of symtom:

```

hydrian@balor ~/mnt/Multimedia $ pwd

/home/hydrian/mnt/Multimedia

hydrian@balor ~/mnt/Multimedia $ ls -l

total 0

drwxr-x--- 4 root    Multimedia 0 Dec  5 01:53 Audio

drwxrwx--- 4 root    Multimedia 0 Mar 22  2006 Documents

drwxrwxr-x 4 hydrian Multimedia 0 Dec  5 02:04 Graphics

drwxr-x--- 5 root    Multimedia 0 Dec  5 02:04 Images

drwxrwxr-x 2 hydrian Multimedia 0 Aug 25 21:22 Projects

drwxr-x--- 7 root    Multimedia 0 Dec  5 02:01 Video

hydrian@balor ~/mnt/Multimedia $

```

smb.conf on Brigid:

```

[global]

        dos charset = CP850

        unix charset = UTF-8

        display charset = LOCALE

        workgroup = TYGERCLAN

        netbios name = BRIGID

        netbios aliases =

        netbios scope =

        server string = Samba Server %v

        interfaces =

        bind interfaces only = No

        security = USER

        auth methods =

        encrypt passwords = Yes

        update encrypted = No

        client schannel = Auto

        server schannel = Auto

        allow trusted domains = Yes

        hosts equiv =

        map to guest = Bad User

        null passwords = No

        obey pam restrictions = No

        password server = *

        smb passwd file = /var/lib/samba/private/smbpasswd

        private dir = /var/lib/samba/private

        passdb backend = ldapsam:ldap://localhost, ldapsam:ldap://maeve.tygerclan.net, smb

passwd, guest

        algorithmic rid base = 1000

        root directory =

        guest account = nobody

        enable privileges = No

        pam password change = No

        passwd program =

        passwd chat = *new*password* %n\n *new*password* %n\n *changed*

        passwd chat debug = No

        passwd chat timeout = 2

        check password script =

        username map =

        password level = 0

        username level = 0

        unix password sync = No

        restrict anonymous = 0

        lanman auth = Yes

        ntlm auth = Yes

        client NTLMv2 auth = No

        client lanman auth = Yes

        client plaintext auth = Yes

        preload modules =

        use kerberos keytab = No

        log level = 0

        syslog = 1

        syslog only = No

        log file = /var/log/samba/log.%m

        max log size = 50

        debug timestamp = Yes

        debug hires timestamp = No

        debug pid = No

        debug uid = No

        smb ports = 445 139

        large readwrite = Yes

        max protocol = NT1

        min protocol = CORE

        read bmpx = No

        read raw = Yes

        write raw = Yes

        disable netbios = No

        reset on zero vc = No

        acl compatibility =

        defer sharing violations = Yes

        nt pipe support = Yes

        nt status support = Yes

        announce version = 4.9

        announce as = NT

        max mux = 50

        max xmit = 16644

        name resolve order = lmhosts wins host bcast

        max ttl = 259200

        max wins ttl = 518400

        min wins ttl = 21600

        time server = No

        unix extensions = Yes

        use spnego = Yes

        client signing = auto

        server signing = No

        client use spnego = Yes

        enable asu support = Yes

        svcctl list =

        change notify timeout = 60

        deadtime = 0

        getwd cache = Yes

        keepalive = 300

        kernel change notify = Yes

        lpq cache time = 30

        max smbd processes = 0

        paranoid server security = Yes

        max disk size = 0

        max open files = 10000

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        use mmap = Yes

        hostname lookups = No

        name cache timeout = 660

        load printers = Yes

        printcap cache time = 750

        printcap name = cups

        cups server =

        iprint server =

        disable spoolss = No

        enumports command =

        addprinter command =

        deleteprinter command =

        show add printer wizard = Yes

        os2 driver map =

        mangling method = hash2

        mangle prefix = 1

        max stat cache size = 0

        stat cache = Yes

        machine password timeout = 604800

        add user script = /usr/sbin/smbldap-useradd '%u'

        rename user script =

        delete user script = /usr/sbin/smbldap-userdel '%u'

        add group script = /usr/sbin/smbldap-groupadd '%g' && /usr/sbin/smbldap-groupshow

%g|awk '/^gidNumber:/ {print $2}'

        delete group script = /usr/sbin/smbldap-userdel '%g'

        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'

        delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'

        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

        add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -g 'Domain Computer

s' -c 'Machine Account' -s /bin/false '%u'

        shutdown script =

        abort shutdown script =

        username map script =

        logon script =

        logon path = \\brigid.tygerclan.net\Profiles\%U

        logon drive =

        logon home = \\brigid.tygerclan.net\%U\.profile

        domain logons = Yes

        os level = 20

        lm announce = Auto

        lm interval = 60

        preferred master = Yes

        local master = Yes

        domain master = Yes

        browse list = Yes

        enhanced browsing = Yes

        dns proxy = No

        wins proxy = No

        wins server =

        wins support = Yes

        wins hook =

        wins partners =

        kernel oplocks = Yes

        lock spin count = 3

        lock spin time = 10

        oplock break wait time = 0

        ldap admin dn = cn=Manager,dc=tygerclan,dc=net

        ldap delete dn = No

        ldap group suffix = ou=Groups

        ldap idmap suffix = ou=Idmap

        ldap machine suffix = ou=Computers

        ldap passwd sync = no

        ldap replication sleep = 1000

        ldap suffix = dc=tygerclan,dc=net

        ldap ssl = no

        ldap timeout = 15

        ldap page size = 1024

        ldap user suffix = ou=People

        add share command =

        change share command =

        delete share command =

        eventlog list =

        config file =

        preload =

        lock directory = /var/cache/samba

        pid directory = /var/run/samba

        utmp directory =

        wtmp directory =

        utmp = No

        default service =

        message command =

        get quota command =

        set quota command =

        remote announce =

        remote browse sync =

        socket address = 0.0.0.0

        homedir map =

        afs username map =

        afs token lifetime = 604800

        log nt token command =

        time offset = 0

        NIS homedir = No

        panic action =

        host msdfs = No

        enable rid algorithm = Yes

        passdb expand explicit = Yes

        idmap backend =

        idmap uid =

        idmap gid =

        template homedir = /home/%D/%U

        template shell = /bin/false

        winbind separator = \

        winbind cache time = 300

        winbind enum users = Yes

        winbind enum groups = Yes

        winbind use default domain = No

        winbind trusted domains only = No

        winbind nested groups = No

        winbind max idle children = 3

        winbind nss info = template

        comment =

        path =

        username =

        invalid users =

        valid users =

        admin users =

        read list =

        write list =

        printer admin =

        force user =

        force group =

        read only = Yes

        acl check permissions = Yes

        acl group control = No

        acl map full control = Yes

        create mask = 0744

        force create mode = 00

        security mask = 0777

        force security mode = 00

        directory mask = 0755

        force directory mode = 00

        directory security mask = 0777

        force directory security mode = 00

        force unknown acl user = No

        inherit permissions = No

        inherit acls = No

        inherit owner = No

        guest only = No

        guest ok = No

        only user = No

        hosts allow =

        hosts deny =

        allocation roundup size = 1048576

        aio read size = 0

        aio write size = 0

        aio write behind =

        ea support = No

        nt acl support = Yes

        profile acls = No

        map acl inherit = No

        afs share = No

        block size = 1024

        max connections = 0

        min print space = 0

        strict allocate = No

        strict sync = No

        sync always = No

        use sendfile = No

        write cache size = 0

        max reported print jobs = 0

        max print jobs = 1000

        printable = No

        printing = cups

        cups options =

        print command =

        lpq command = %p

        lprm command =

        lppause command =

        lpresume command =

        queuepause command =

        queueresume command =

        printer name =

        use client driver = No

        default devmode = No

        force printername = No

        default case = lower

        case sensitive = Auto

        preserve case = Yes

        short preserve case = Yes

        mangling char = ~

        hide dot files = Yes

        hide special files = No

        hide unreadable = No

        hide unwriteable files = No

        delete veto files = No

        veto files =

        hide files =

        veto oplock files =

        map archive = Yes

        map hidden = No

        map system = No

        map readonly = yes

        mangled names = Yes

        mangled map =

        store dos attributes = No

        browseable = Yes

        blocking locks = Yes

        csc policy = manual

        fake oplocks = No

        locking = Yes

        oplocks = Yes

        level2 oplocks = Yes

        oplock contention limit = 2

        posix locking = Yes

        strict locking = Yes

        share modes = Yes

        dfree cache time = 0

        dfree command =

        copy =

        include =

        preexec =

        preexec close = No

        postexec =

        root preexec =

        root preexec close = No

        root postexec =

        available = Yes

        volume =

        fstype = NTFS

        set directory = No

        wide links = Yes

        follow symlinks = Yes

        dont descend =

        magic script =

        magic output =

        delete readonly = No

        dos filemode = No

        dos filetimes = Yes

        dos filetime resolution = No

        fake directory create times = No

        vfs objects =

        msdfs root = No

        msdfs proxy =

[homes]

        comment = Home Directories

        read only = No

        browseable = No

[netlogon]

        comment = Network Logon Service

        path = /var/lib/samba/netlogon

        guest ok = Yes

[Profiles]

        path = /var/lib/samba/profiles

        guest ok = Yes

        browseable = No

[printers]

        comment = All Printers

        path = /var/spool/samba

        create mask = 0700

        guest ok = Yes

        printable = Yes

        browseable = No

[print$]

        path = /var/lib/samba/printers

        write list = @adm, root

        guest ok = Yes

[portage]

        comment = Gentoo Portage files

        path = /data/Gentoo

        valid users = portage

        write list = portage

        force user = root

        force group = portage

        read only = No

        create mask = 0750

        force create mode = 0640

        directory mask = 0750

        force directory mode = 0750

        hosts allow = 192.168.1.

[Multimedia]

        path = /data/Multimedia

        valid users = @Multimedia

        write list = @Multimedia

        force group = Multimedia

        create mask = 0644

        force create mode = 0644

        force directory mode = 0775

[Adult]

        path = /data/Adult

        valid users = @Adult

        write list = @Adult

        read only = No

        browseable = No

[Windows]

        comment = Windows Applications

        path = /data/Windows

        write list = @Windows

        force group = Windows

        create mask = 0640

        force create mode = 0640

        directory mask = 0770

        force directory mode = 0770

[Linux]

        comment = Linux Files

        path = /data/Linux

        write list = @Linux

        force group = Linux

        create mask = 0640

        force create mode = 0640

        directory mask = 0770

        force directory mode = 0770

[Roms]

        comment = Roms Image Files

        path = /data/Roms

        write list = @Roms

        force group = Roms

        create mask = 0640

        force create mode = 0640

        directory mask = 0770

        force directory mode = 0770

[ISOs]

        comment = Mounted ISOs

        path = /mnt/ISOs

        read list = @ISOs

[btimport]

        comment = Place .torrent files here to be downloaded

        path = /home/p2p/btimport

        valid users = @p2pusers

        write list = @p2pusers

        read only = No

[BTDownloads]

        comment = Completed BitTorrents

        path = /home/p2p/complete

        valid users = @p2pusers

        write list = @p2pusers

[MythTV]

        comment = MythTV share

        path = /data/mythtv

        valid users = mythtv

```

----------

## casso

Can you run getfacl against any of these directories and show the output, both on the server of the same directory, and on a client.

Also, you have ea support = off. Is there a particular reason for that?

----------

