samba - Mar 2023 - windows acls

On 3/28/23 01:33, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>> I am having troubles with windows ACLs.? I have been following the 
>> wiki 
>>
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs)
>> and must have messed something up.
>> I can't set the permissions on the root of the share.? error: 
>> https://pasteboard.co/yJadpk2bH0pJ.png
>>
>> I set the SeDiskOperatorPrivilege, created the folder with 
>> permissions as stated in the wiki, and set smb.conf as described. 
>> What might I be missing?
>>
>> root at filesvr:~# net rpc rights list privileges 
>> SeDiskOperatorPrivilege -U SDCP\\peter
>> Password for [SDCP\peter]:
>> SeDiskOperatorPrivilege:
>> ?? SDCP\Domain Admins
>> ?? BUILTIN\Administrators
>>
>> root at filesvr:~# ls -l /data
>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45 test
>
> What are the permissions set on /data ?
>
> What does 'getfacl /data/test' produce ?
>
> Rowland
>
root at filesvr:~# ls -l /
drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data

root at filesvr:~# getfacl /data/test
getfacl: Removing leading '/' from absolute path names
# file: data/test
# owner: root
# group: SDCP\\domain\040admins
user::rwx
user:root:rwx
user:SDCP\\domain\040admins:rwx
user:SDCP\\domain\040users:rwx
group::rwx
group:SDCP\\domain\040admins:rwx
group:SDCP\\domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:SDCP\\domain\040users:rwx
default:group::r-x
default:group:SDCP\\domain\040admins:r-x
default:group:SDCP\\domain\040users:rwx
default:mask::rwx
default:other::r-x

On 28/03/2023 15:08, Peter Carlson via samba wrote:
> 
> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>
>>
>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>> I am having troubles with windows ACLs.? I have been following the 
>>> wiki 
>>>
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) and
must have messed something up.
>>> I can't set the permissions on the root of the share.? error: 
>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>
>>> I set the SeDiskOperatorPrivilege, created the folder with 
>>> permissions as stated in the wiki, and set smb.conf as described. 
>>> What might I be missing?
>>>
>>> root at filesvr:~# net rpc rights list privileges 
>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>> Password for [SDCP\peter]:
>>> SeDiskOperatorPrivilege:
>>> ?? SDCP\Domain Admins
>>> ?? BUILTIN\Administrators
>>>
>>> root at filesvr:~# ls -l /data
>>> drwxrwx---+? 4 root SDCP\domain admins??? 4096 Oct? 3 08:45 test
>>
>> What are the permissions set on /data ?
>>
>> What does 'getfacl /data/test' produce ?
>>
>> Rowland
>>
> root at filesvr:~# ls -l /
> drwxr-xr-x? 16 root root?????? 4096 Dec 20 13:01 data
> 
> root at filesvr:~# getfacl /data/test
> getfacl: Removing leading '/' from absolute path names
> # file: data/test
> # owner: root
> # group: SDCP\\domain\040admins
> user::rwx
> user:root:rwx
> user:SDCP\\domain\040admins:rwx
> user:SDCP\\domain\040users:rwx
> group::rwx
> group:SDCP\\domain\040admins:rwx
> group:SDCP\\domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:SDCP\\domain\040users:rwx
> default:group::r-x
> default:group:SDCP\\domain\040admins:r-x
> default:group:SDCP\\domain\040users:rwx
> default:mask::rwx
> default:other::r-x
OK, your user should be able to get to the 'data' directory via
'others'

drwxr-xr-x  16 root root       4096 Dec 20 13:01 data

Where, because the permissions are these:

drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test

His membership of Domain Admins should allow entry into 'test'

However, you also wrote this 'On a different server showing my 
membership', what do you get if you run 'groups' on
'filesvr' ?

Rowland