[Feature Enhancement] Improve samba shares configuration

[MFlyer]

While working on #1467 discovered currently samba shares don't inherit acl configured over Rockstor Pools/Shares, so an ACL system like on shares creation could be desired (actually users have to manually add samba share custom params like samba create mask, force user/group etc, or add SGID bit to Share etc etc)

• [ ] Shares side: allow ACLs (acls, not only posix perms!) while creating/editing a share: allow set default ACLs, allow set ACLs recursively on subfolders
• [ ] Samba side: Handle Samba to inherit ACLs from share

[tomtom13]

Yeah, recently got bitten by creation mask and had to add it my self :/ (sharething was unable to list stuff because of no search bit for "others").

Anyway, I think that samba bit reaaaaaaalllyyy deserves a bit more love because there are a lot of things for those shares that can be configured.

I know that #1456 was a bit quiet recently, my fault - just bussy at work pushing development of truck forward (had some safety design work to do right after coming out of sicknes :/ ).

[MFlyer]

Hi @tomtom13 & all other guys, adding some steps (split in 2 branches) to cover this issue:

• Grant xattr (global section) in a Rockstor domain member
• Grant acl inherited

Samba nicely having same acls : Add setfacl -d to shared folder (Rockstor Share) &

vfs objects = acl_xattr
inherit owner = yes
inherit acls = yes
inherit permissions = yes

[MFlyer]

Having some tests and it seems working fine (maybe we need a better share management - missing inherit/recursive option on share creation, coded backend not frontend)

Nice find of the day: mount over Rockstor doesn't show xattr on data disks, but we have it (googled to understand if btrfs has default attrx without answer, but now I can say it has attrx :D )

Edit: adding nice ref to samba vfs objects (not so easy to find) : https://fossies.org/linux/misc/samba-4.5.0.tar.gz/

[MFlyer]

Adding reference to #981

[MFlyer]

Adding notes:

acl allow execute always on [global] or a single share grants exec bit (.exe, .bat, etc) for windows files

[MFlyer]

Trying to code on new features/features enhancement finally got back to this :tada: and had some thinking about samba shares + ACLs:

Having ACLs inheritance on #981 : ok, we can have it Having ACLs inheritance on Samba shares with WIN clients: yep, we can have it "hard coded" (think about a button with "enable extended ACLs for Windows"), but usually Sysadmins having samba+win clients have their way via vfs objects and shares management from win machine and we can't grant a "fully working Rockstor Samba + win clients" env having access only to Rockstor side

[MFlyer]

Memo : http://pig.made-it.com/samba-file-rights.html#25963

[Marenz]

This might belong to this issue:

Usability suggestion: Don't ask for at least three letters in the admin user box if there are only <5 users and maybe pre-fill the first user? Optimally no keyboard input is required at all. I mean, how many rockon users are there on a usual configuration? 1, maybe 2?

[phillxnet]

@Marenz Thanks for the input here and for tracking his issue down.

I mean, how many rockon users are there on a usual configuration? 1, maybe 2?

Unfortunately we have to 'cope' with quit the range of user numbers as it goes and the "Please enter 3 or more characters' grew from the following pr: https://github.com/rockstor/rockstor-core/pull/2214 9000 user limit within NIS breaks Web-UI for larger user sets. Fixes #2211 #2214 to fix an issue for a client with around 30000 users. We had previously a limit of 5000, then 9000. So it's all a bit tricky really to manage both ends of the spectrum. Also not that this field is managed by a widget that itself has limitations. The linked forum thread in that issue is here: https://forum.rockstor.com/t/error-while-attempting-to-create-smb-export/7313 This in turn lead to: "minor optimisation of smb share add - "Admin user" option. Fixes #2220" #2225

Hope that helps for a bit of context. Rockstor's AD LDAP NIS functions are used in some large organisations it seems, and in turn this puts some pressure on widgets such as this that offer 'easy' user selection.

Definitely room for improvement here though, as always.