On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote:> On 02 March 2022 13:33 Rowland Penny wrote: > > On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote: > > > Le 28/02/2022 20:26, Rowland Penny via samba a crit : > [snip] > > OK, your OS has to know your users and they have to have permission > > to > > access/read/write on a share. > > > > Normally when you create a share directory it will get permissions > > like: drwxr-xr-x 2 root root > > > > From this, you can see that only 'root' can write to the share > > directory. > > If you go to windows and set permissions on the share directory, > > you > > should be able to, but if you have set 'acl_xattr:ignore system > > acls > > Yes', your users will still not be able to write to the share (and > > as > > it has been pointed out, this will be shown by not having a '+' > > sign at > > the end of the permissions), without that line, Samba will alter > > the > > Unix acls and set NT ACLS and your users will get the permissions > > you > > want them to have. > > > > Rowland > > I am now even more confused than before! The WiKi page for setting > up the share using Windows ACLs specifically suggests that the > 'acl_xattr:ignore system acls = Yes' be added to smb.conf.It doesn't any more :-)> And even with that line in smb.conf for the share, I do get the + > at the end of permissions. All is working fine with my system. So > if the + is missing when this line is in smb.conf does this suggest > that the Windows ACLs are not being saved?I feel that this must be an artefact of the recent CVE updates, I have never used that line myself, but Louis has, so presumably it did work at some point. What I can say is that if you set 'acl_xattr:ignore system acls = yes' on share when using Samba 4.15.5 , then that share does not get extended NT ACLS (no '+' sign at end of Unix acls) when permissions are set from Windows. Rowland
Hi all, Le 02/03/2022 ? 18:05, Rowland Penny via samba a ?crit?:>> I am now even more confused than before! The WiKi page for setting >> up the share using Windows ACLs specifically suggests that the >> 'acl_xattr:ignore system acls = Yes' be added to smb.conf. > > It doesn't any more :-)\o/ \o/ \o/ Now you can understand why I was saying that I was completly lost, this line was in contradiction with the context of the wiki page and couldn't make it work :-) Thanks for your time and explanations, and the update of the wiki ! Cheers, -- Manu
Le 02/03/2022 ? 18:05, Rowland Penny via samba a ?crit?:> I feel that this must be an artefact of the recent CVE updates, I have > never used that line myself, but Louis has, so presumably it did work > at some point. What I can say is that if you set 'acl_xattr:ignore > system acls = yes' on share when using Samba 4.15.5 , then that share > does not get extended NT ACLS (no '+' sign at end of Unix acls) when > permissions are set from Windows.And on last 4.14.x Louis package, same "problem". -- Manu
On 02 March 2022 17:05 Rowland Penny wrote:> On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote: > > On 02 March 2022 13:33 Rowland Penny wrote: > > > On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote: > > > > Le 28/02/2022 20:26, Rowland Penny via samba a crit : > > I feel that this must be an artefact of the recent CVE updates, I have never used that > line myself, but Louis has, so presumably it did work at some point. What I can say is > that if you set 'acl_xattr:ignore system acls = yes' on share when using Samba > 4.15.5 , then that share does not get extended NT ACLS (no '+' sign at end of Unix > acls) when permissions are set from Windows. >Ok that may explain it, but I just did a test with a new share on a member server running Samba 4.15.5 and found that I still get the + after setting the ACLs from Windows and can still use it after adding the 'acl_xattr:ignore system acls = yes' to the share definition. Do you have to use a brand-new server running Samba version 4.15.5 rather than one that has been upgraded? Roy
On 02 March 2022 18:40 spindles seven wrote:> On 02 March 2022 17:05 Rowland Penny wrote: > > On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote: > > > On 02 March 2022 13:33 Rowland Penny wrote: > > > > On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote: > > > > > Le 28/02/2022 20:26, Rowland Penny via samba a crit : > > > > I feel that this must be an artefact of the recent CVE updates, I have > > never used that line myself, but Louis has, so presumably it did work > > at some point. What I can say is that if you set 'acl_xattr:ignore > > system acls = yes' on share when using Samba > > 4.15.5 , then that share does not get extended NT ACLS (no '+' sign at > > end of Unix > > acls) when permissions are set from Windows. > > > Ok that may explain it, but I just did a test with a new share on a member server > running Samba 4.15.5 and found that I still get the + after setting the ACLs from > Windows and can still use it after adding the > 'acl_xattr:ignore system acls = yes' to the share definition. Do you have to use a > brand-new server running > Samba version 4.15.5 rather than one that has been upgraded? >OK, I did another test with a fresh install of Debian Bullseye and Samba 4.15.5 from Louis' repo. I've determined that if you use the domain Administrator to set permissions from Windows, then if you were to set the line: 'acl_xattr:ignore system acls = yes' in smb.conf the "+" disappears from the 'ls' listing and users cannot access the share as the OP and Rowland points out. If however, you use a member of Domain Admins to set the permissions from Windows then the "+" is retained and users can still access the folder/files after the above line is added to smb.conf. Can anyone explain this behaviour? Roy