On 3/28/23 13:05, Rowland Penny via samba wrote:>
>
> On 28/03/2023 20:04, Peter Carlson via samba wrote:
>
>
>> could it be the posix acls are interfering somehow?? here are the
>> windows acls
>>
>> root at filesvr:/var/log/samba# samba-tool ntacl get /data/test
--as-sddl
>>
O:S-1-22-1-0G:S-1-5-21-185628584-2620904409-2800336372-512D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-512)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-513)
>>
>>
>> root at filesvr:/var/log/samba# samba-tool ntacl get /data/peter
--as-sddl
>>
O:S-1-22-1-0G:DAD:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)
>>
>>
>
> I am not sure what is going on here, but I did notice that you had
> 'acl_xattr:ignore system acls = yes' set on 'test', but
commented out,
> was it ever set and used ?
>
> if you break the ACEs down, you will find that Domain Admins is
> 'S-1-5-21-185628584-2620904409-2800336372-512' in one and just
'DA' in
> the other and I have no real idea why.
> I have done some testing in the past and found that how
> 'acl_xattr:ignore system acls = yes' works depends on if there is a
> user.map set and just who changes the permissions on Windows,
> Administrator or a member of Domain Admins.
>
>> Is this worth troubleshooting more, or should I just create new
>> shares and move the data over?
>
> It might just be easier to create a new share.
>
>>
>>
>>
>> What I need is :
>>
>> all of our shares fall into 1 of 3 categories:
>> 1) Admins Only...lets call it \\filesvr\admin
>> ??? ?we want any domain admin to be able to create folders as needed
>> 2) Everyone
>> ??? ?we want any domain user to be able to full control
>> 3) read-only
>> ??? ?we want any domain admin to be able to create/write
>> ??? ?we want any domain user to be able to read
>> There's some variation on this, but with these 3 I can get the rest
>>
>> I read somewhere that inheritance should be disabled.? But
shouldn't
>> I be able to go to \\filesvr\read-only and set:
>> ??? ?domain admins: full control, this folder subfolders and files
>> ??? ?domain users: read, this folder subfolders and files
>
> You should be able to do all that from Windows.
>
>>
>> then go back into smb.conf and enable acl_xattr:ignore system acls =
yes
>
> I am not sure setting that line is a good idea, just set the
> permissions from Windows and never change them on the Unix side.
>
> Rowland
>
root at filesvr:/data# mkdir Accounting2
root at filesvr:/data# chmod 0770 Accounting2
root at filesvr:/data# chown root:"SDCP\\domain admins" Accounting2
root at filesvr:/data# smbcontrol all reload-config
on Windows, Computer Management, connect to remote server, System
Tools->Shared Folders->Shares
Accounting2:Share Permissions has Everyone, Full Control, Change and
Read, nothing else
Accounting2:Security has:
?? ?root: ??? ??? Full Control: ??? This folder only
?? ?Domain Admins:??? Full control:??? This folder only
?? ?Everyone:??? None:??? ??? This folder only
?? ?CREATOR OWNER:??? Full control: ??? Subfolder and files only
?? ?CREATOR GROUP:??? Read & Execute:??? Subfolder and files only
?? ?Everyone:??? Read & Execute: Subfolder and files only
1) That's how it was all set by default, is there anything there that I
should change?
2) To add DOMAIN\Accounting to be able to have full control to this
share and all subfolder, do I:
?? ?a) add that here in Computer Management
?? ?b) open windows explorer go to \\filesvr\Accouting2 and add it there?
?? ?c) neither, create a folder and set the permissions there