Univention Bugzilla – Bug 44997
Confusing Samba permissions & options in UMC shares module
Last modified: 2023-06-21 09:24:42 CEST
The various Samba share permissions & options are pretty complex by nature. Additionally the UMC presents them in a confusing way. E.g. * The checkbox "Users with write access may modify permissions" is on the Samba tab instead of on the "Samba permissions" section of the "advanced" tab ([Erweiterte Einstellungen]). * The checkbox "NT ACL Support" could be removed, because it's generally not a recommended option to disable this. If desired, it can be done in the "Samba custom settings". * The checkbox matrix in the "Samba extended permissions" section is a minefield and some options are not "best practice" IMHO. To start with, I would recommend to remove the four "force" settings: "force create mode", "force directory mode", "force security mode" and "force directory security mode". Those Samba share level permissions are not transparent to Active Directory admins and just add a third level of complexity, additional to (1) the Posix permissions in the Linux backend and (2) the NTACLs accessible on the Windows frontend. * The per share options to configure oplocks (& locks) don't seem useful to me. If a particular customer has oplock issues, you would probably disable them fully as a temporary workaround and not on a per share basis. Also this is not a common option to configure, which needs to be accessible conveniently via UMC. As a rule of thump: * We should only advertise options, that we consider useful in common cases * We should offer options that can be combined to achieve "best practice" configuration (see Bug #44996), i.e. state of the art vs legacy configuration techniques
* The checkbox matrix in the "Samba extended permissions" section is a minefield and some options are not "best practice" IMHO. To start with, I would recommend to remove the four "force" settings: "force create mode", "force directory mode", "force security mode" and "force directory security mode". Those Samba share level permissions are not transparent to Active Directory admins and just add a third level of complexity, additional to (1) the Posix permissions in the Linux backend and (2) the NTACLs accessible on the Windows frontend. Offering options in the "Erweiterte Samba Rechte" which do not exist should definitely be removed in UMC as well! Customers really get confused by the possibility to configure things here. Support is having regularly questions about this from customers.
still valid for UCS 5 and I think that not just an average number of installed domains is affected
All points addressed in the MR https://git.knut.univention.de/univention/ucs/-/merge_requests/360.
Each mentioned point has been addressed in a separate commit: univention-directory-manager-modules (15.0.20-9) 62bb92141386 | Bug #44997: move "VFS objects" into "Samba options" 69e313c35940 | Bug #44997: move checkbox "Allow Samba Write access" into "Samba permissions" 51a3676981dc | Bug #44997: Turn VFS objects into a combobox 6af463e003b6 | Bug #44997: add long descriptions to various share options 53c637a7bb62 | Bug #44997: remove locking options 3c95ea175efb | Bug #44997: remove checkbox "NT ACL Support" 3f0df4f14a58 | Bug #44997: move checkbox "Users with write access may modify permissions" into "Samba permissions" b3dcc9c25009 | Bug #44997: make checkboxes fit the whole size instead of breaking into mulitple lines 3fbfb0159bdc | Bug #44997: transform advanced settings tabs into Groups on the corresponding Samba/NFS tab
*** Bug 19868 has been marked as a duplicate of this bug. ***
*** Bug 50701 has been marked as a duplicate of this bug. ***
*** Bug 21349 has been marked as a duplicate of this bug. ***
OK: Tests OK: Code review OK: Descriptions and layout are way better OK: Manual tests OK: Changelog
UCS 5.0-4 has been released: https://docs.software-univention.de/release-notes/5.0-4/en/ If this error occurs again, please use the 'Clone This Bug' option.