I've had a little time to tinker and one thing I've found.
?
Unless I have [acl_xattr:ignore system acls = yes] set, I can't edit
permissions at all.
(I set it globally, though a share level setting would probably work on a
per-share basis.)
?
This seems to be a quasi-sideeffect of that setting? - in short that setting
overwrites/resets the posix permissions. (Provided I understand discussions
I've seen about it.)
?
In this case the share will only be used by Windows users via CIFS/Samba - so
this may well "work" just fine and as a happy side-effect, make the
problem vanish.
But I'd guess it's not really the "correct" fix.
?
To that end, what would be the best way to reset the permissions on the
directories/files properly, removing all the Samba ACL's etc? Once they are
set as a baseline in POSIX then we can tinker with Samba ACL's with the
Windows permissions again. (And remove acl_xattr:ignore system acls = yes)
?
Rowland?
?
(I'm not making any claims about "Administrators" vs "Domain
Admins" and permissions in this post. I'm simply trying to deduce
what's going on, and talk about a single thing that make it work
differently, perhaps more or less inadvertently.)
?
??
> On 12 March 2022 09:22 Rowland Penny wrote:
>> On Fri, 2022-03-11 at 22:48 +0000, spindles seven via samba wrote:
>>> On 11 March 2022 22:26 Rowland Penny wrote:
>>>> I take it you found that out from here:
>>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_AC
>>>> Ls#Addi
>>>> ng_a_Share
>>> Yes indeed.
>>>> That is what I was getting at, it used to work. A member of
Domain
>>>> Admins logged into Windows could change the permissions on a
share,
>>>> provided everything was set up correctly on the Unix domain
member.
>>>> I can now only do this with Administrator.
>>>> Rowland
>>> works for me (on version 4.15.5), so what's different?
>> I am using 4.15.5 and it doesn't work for me, it used to, but it
doesn't any longer.
>> Rowland
> OK, so using a test installation of Debian Bullseye in a VM and Samba
4.15.5, I left the domain and cleaned up the samba database files as per the
WiKi. ? I deleted the existing folders ie /srv/samba and all sub folders. ? ?
Using that same page in the WiKi
(https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) I joined
the domain. ? ?This is the smb.conf at that stage:
> [global]
> ? ? ? ? security = ADS
> ? ? ? ? workgroup = MICROLYNX
> ? ? ? ? realm = MICROLYNX.ORG
> ? ? ? ? log file = /var/log/samba/%m.log
> ? ? ? ? log level = 1
> ? ? ? ? winbind use default domain = yes
> ? ? ? ? # Default idmap config used for BUILTIN and local accounts/groups
> ? ? ? ? idmap config *:backend = tdb
> ? ? ? ? idmap config *:range = 2000-9999
> ? ? ? ? # idmap config for domain MICROLYNX
> ? ? ? ? idmap config MICROLYNX:backend = rid
> ? ? ? ? idmap config MICROLYNX:range = 10000-99999
> ? ? ? ? # next two lines for testing only - comment-out once working ok
> ? ? ? ? winbind enum users = yes
> ? ? ? ? winbind enum groups = yes
> ? ? ? ? template shell = /bin/bash
> ? ? ? ? template homedir = /srv/samba/users/%U
> ? ? ? ? vfs objects = acl_xattr
> ? ? ? ? map acl inherit = yes
> ? ? ? ? username map = /etc/samba/user.map
> ? ? ? ? # allow administrator to access having been mapped to root (uid 0)
> ? ? ? ? min domain uid = 0
> =========> I then added shares [users] and [test] as follows:
> [users]
> ? ? ? ? # user homedirs
> ? ? ? ? path = /srv/samba/users
> ? ? ? ? read only = no
> ? ? ? ? acl_xattr:ignore system acls = yes
> [test]
> ? ? ? ? path = /srv/samba/test
> ? ? ? ? read only = no
> I set the Unix permissions as follows:
> chown root:"Domain Admins" /srv/samba/users
> chown root:"Domain Admins" /srv/samba/test
> chmod 0770 /srv/samba/users
> chmod 0770 /srv/samba/test
> I granted Domain Admins the SeDiskOperatorPrivilege on the test server then
attempted to set the permissions from Windows using the WiKi
page:?https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> I logged onto Windows 10 using a user who is a member of Domain Admins and
was able to set permissions correctly using Computer Management on the [test]
share, but not on the [users] share; ? to allow the permissions to be applied
from windows initially, I had to temporarily comment out the
"acl_xattr:ignore system acls = yes" line and reload the smb config.
?Once set, I removed the comment (#) from that line.
> On the Users share I set:
> Domain Admins ? Full Control ? ? ? ? ? ?This folder only
> CREATOR OWNER ? Full Control ? ? ? ? ? ?Subfolders and files only
> SYSTEM ?Full Control ? ? ? ? ? ?This folder, subfolders and files
> Authenticated Users ? ? Special* ? ? ? ?This folder only
> * Traverse folder/execute file, List folder/read data, Read attributes,
Read extended attributes, Create folders/append data, Read permissions
> The folder looks like this as seen from Linux:
> root at m2test:~# ls -l /srv/samba
> total 16
> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 test
> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 users
> root at m2test:~# getfacl /srv/samba/users
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/users
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> group::rwx
> group:NT\040Authority\\authenticated\040users:rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:---
> default:mask::rwx
> default:other::---
> So following the WiKi as close as possible, I am able to set permissions
using a Domain Admins account, not sure why your system is preventing you?
> Thanks for your invaluable help as always.
> Roy