On Mon, Mar 28, 2022 at 09:36:16AM -0700, Gregory Sloop via samba
wrote:>
>
>> On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:
>
>>> On 3/25/22 17:39, Jeremy Allison wrote:
>
>>>>>> system.NTACL is the extended attribute smbd uses to
>>>>>> store the Windows ACL in ndr format.
>
>>>>> I figured this much, but am unsure about the syntax for
doing this >>>-- could you provide an example, please?
>>>> The syntax for doing what ? smbd stores these values
internally.
>>>> I think samba-tool can show them.
>>> I'm wondering if you mean security.NTACL, as described here:
>
>
>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End
>
>>> as in:
>>> ?# getfattr -n security.NTACL -d /srv/samba/Demo/
>>> samba-tool does allow you to manage this:
>>> ?# samba-tool ntacl set acl file [options]
>>> but I can't find any examples of how this is used in either the
Wiki, >the man page, or the built in help. For example, what are the
>[options]? Does this work on directories too? Etc..
>
>> Yes dammit :-). I keep mixing up the confusing namespaces
>> on Linux, sorry :-).
>
>> It's used as a "pristine" store of the ACL the client
sent.
>> If the underlying native (usually POSIX) ACL is changed outside
>> of smbd then it is removed as it no longer represents reality.
>?
>That's new information I didn't know.
>So, simply doing a chmod/chown in Linux would be enough to fully
reset/remove all Samba (Windows set) ACL's on a file or directory, right?
Yes. We store a hash of the existing mapping from
Windows ACL -> POSIX ACL i.e. perms also. If you
change the POSIX ACL or perms outside of smbd the
hash no longer matches so we can't trust it.