Rowland Penny
2022-Aug-18 12:20 UTC
[Samba] unix_primary_group not used when writing files
On Thu, 2022-08-18 at 13:15 +0100, Matthew Richardson via samba wrote:> > It looks like inheritance may be causing this. > > > > Can you run these commands: > > > > ls -lad /home > > drwxrwxr-x 5 root root 3 Aug 16 17:11 /home > > getfacl /home > > getfacl: Removing leading '/' from absolute path names > # file: home > # owner: root > # group: root > user::rwx > group::rwx > other::r-x > > > sudo samba-tool ntacl get /home --as-sddl > > > > security_descriptor: struct security_descriptor > revision : SECURITY_DESCRIPTOR_REVISION_1 (1) > type : 0x8004 (32772) > 0: SEC_DESC_OWNER_DEFAULTED > 0: SEC_DESC_GROUP_DEFAULTED > 1: SEC_DESC_DACL_PRESENT > 0: SEC_DESC_DACL_DEFAULTED > 0: SEC_DESC_SACL_PRESENT > 0: SEC_DESC_SACL_DEFAULTED > 0: SEC_DESC_DACL_TRUSTED > 0: SEC_DESC_SERVER_SECURITY > 0: SEC_DESC_DACL_AUTO_INHERIT_REQ > 0: SEC_DESC_SACL_AUTO_INHERIT_REQ > 0: SEC_DESC_DACL_AUTO_INHERITED > 0: SEC_DESC_SACL_AUTO_INHERITED > 0: SEC_DESC_DACL_PROTECTED > 0: SEC_DESC_SACL_PROTECTED > 0: SEC_DESC_RM_CONTROL_VALID > 1: SEC_DESC_SELF_RELATIVE > owner_sid : * > owner_sid : S-1-22-1-0 > group_sid : * > group_sid : S-1-22-2-0 > sacl : NULL > dacl : * > dacl: struct security_acl > revision : SECURITY_ACL_REVISION_NT4 > (2) > size : 0x0088 (136) > num_aces : 0x00000006 (6) > aces: ARRAY(6) > aces: struct security_ace > type : > SEC_ACE_TYPE_ACCESS_ALLOWED (0) > flags : 0x00 (0) > 0: SEC_ACE_FLAG_OBJECT_INHERIT > 0: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 0: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0018 (24) > access_mask : 0x001f01ff > (2032127) > object : union > security_ace_object_ctr(case 0) > trustee : S-1-22-1-0 > aces: struct security_ace > type : > SEC_ACE_TYPE_ACCESS_ALLOWED (0) > flags : 0x00 (0) > 0: SEC_ACE_FLAG_OBJECT_INHERIT > 0: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 0: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0018 (24) > access_mask : 0x001200a9 > (1179817) > object : union > security_ace_object_ctr(case 0) > trustee : S-1-22-2-0 > aces: struct security_ace > type : > SEC_ACE_TYPE_ACCESS_ALLOWED (0) > flags : 0x00 (0) > 0: SEC_ACE_FLAG_OBJECT_INHERIT > 0: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 0: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0014 (20) > access_mask : 0x001200a9 > (1179817) > object : union > security_ace_object_ctr(case 0) > trustee : S-1-1-0 > aces: struct security_ace > type : > SEC_ACE_TYPE_ACCESS_ALLOWED (0) > flags : 0x0b (11) > 1: SEC_ACE_FLAG_OBJECT_INHERIT > 1: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 1: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0014 (20) > access_mask : 0x001f01ff > (2032127) > object : union > security_ace_object_ctr(case 0) > trustee : S-1-3-0 > aces: struct security_ace > type : > SEC_ACE_TYPE_ACCESS_ALLOWED (0) > flags : 0x0b (11) > 1: SEC_ACE_FLAG_OBJECT_INHERIT > 1: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 1: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0014 (20) > access_mask : 0x001200a9 > (1179817) > object : union > security_ace_object_ctr(case 0) > trustee : S-1-3-1 > aces: struct security_ace > type : > SEC_ACE_TYPE_ACCESS_ALLOWED (0) > flags : 0x0b (11) > 1: SEC_ACE_FLAG_OBJECT_INHERIT > 1: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 1: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0014 (20) > access_mask : 0x001200a9 > (1179817) > object : union > security_ace_object_ctr(case 0) > trustee : S-1-1-0 > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. Is e buidheann > carthannais a th? ann an Oilthigh Dh?n ?ideann, cl?raichte an Alba, > ?ireamh cl?raidh SC005336.Can we see your entire smb.conf, sanitised if you must. Rowland
Matthew Richardson
2022-Aug-18 12:50 UTC
[Samba] unix_primary_group not used when writing files
> Can we see your entire smb.conf, sanitised if you must.Found it! Decided to go over the config and sanitise it, but also toggle all the options that I wasn't certain of to see if they were relevant. If I comment out the following, then the file is group owned g_alice - with it there, it's 'domain users': vfs objects = acl_xattr No idea if this is expected behaviour though - from reading the docs it sounds like this is a setting we would want to have, but I'm more than happy to be told we don't need it and to leave it off! Thanks, Matthew The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th? ann an Oilthigh Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336.