Peter Milesson
2024-Jan-30 19:15 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
On 30.01.2024 16:51, Ralph Boehme via samba wrote:> On 1/30/24 16:27, Rowland Penny via samba wrote: >> On Tue, 30 Jan 2024 16:13:41 +0100 >> Peter Milesson via samba <samba at lists.samba.org> wrote: >> >>> Hi folks, >>> >>> It seems that the setting acl_xattr:ignore system acls = yes reduces >>> Windows compatibility when defined for a share. In all attempts I >>> have used Windows tools (except editing smb.conf) >> >> Lets walk through the relevant part of that parameter: >> 'ignore system acls' >> >> It does what it says, with it set, Samba totally ignores the Unix acls >> you can see with 'ls' and getfacl. You must set the permissions from >> Windows and either read them from Windows or with tools such as >> 'samba-tool ntacl get'. > > ...and you must start with a clean state, iow a share basedirectory > that doesn't have any POSIX ACEs, just root:Domain Users 0777 or > similar. "ignore systems acls" only implies Samba will not attempt > itself to map the NT ACL to a POSIX ACL and apply in on disk. It > doesn't apply that existing POSIX ACLs will be enforced by the kernel > and inheritted by the kernel if applicable. > > Cheers! > -slow > >Hi folks, I setup a new share and tried to configure it. *Setup shared folder* * Create the folder /data/migrtest * Set ownership to root:"Domain Admins" * chmod 0770 migrtest *smb.conf* [Migrtest] path = /data/migrtest read only = no acl_xattr:ignore system acls = yes Then smbcontrol smbd reload-config and smbcontrol winbind reload-config *Windows Computer Management* * Starting Computer Management as Administrator * Connecting to the server * Selecting Shares and Properties of the share Migrtest *Tab Security* Owner: Administrator at private.talps -Permissions list- root (Unix User\root)??? Full Control??? This folder only Domain Admins (Private\Domain Admins)??? Read, write & Execute??? This folder only SYSTEM??? Full control??? This folder only If I click on OK, no complaints. But the share is not accessible by any users, except for a Domain Admin user. Further, it is not possible to change share permissions, e.g. add any users or groups. No error message, but the changes will not persist Trying to change the permissions above to something more normal: * disable inheritance * remove root * change access for Domain Adminst to Full control and This folder, subfolders and files * change SYSTEM to Full Control and This, folder, subfolders and files * add testgroup Read & Execute and This folder, subfolders and files When clicking OK, the error message below pops up: An error occurred while applying security information to: \\linuxdev\Migrtest "Failed to enumerate objects in the container. Access is denied" Setting up the share initially without acl_xattr:ignore system acls = yes, and turning on acl_xattr:ignore system acls = yes? after defining access permissions under the security tab seems to work. Best regards, Peter
Rowland Penny
2024-Jan-30 19:31 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
On Tue, 30 Jan 2024 20:15:17 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 30.01.2024 16:51, Ralph Boehme via samba wrote: > > On 1/30/24 16:27, Rowland Penny via samba wrote: > >> On Tue, 30 Jan 2024 16:13:41 +0100 > >> Peter Milesson via samba <samba at lists.samba.org> wrote: > >> > >>> Hi folks, > >>> > >>> It seems that the setting acl_xattr:ignore system acls = yes > >>> reduces Windows compatibility when defined for a share. In all > >>> attempts I have used Windows tools (except editing smb.conf) > >> > >> Lets walk through the relevant part of that parameter: > >> 'ignore system acls' > >> > >> It does what it says, with it set, Samba totally ignores the Unix > >> acls you can see with 'ls' and getfacl. You must set the > >> permissions from Windows and either read them from Windows or with > >> tools such as 'samba-tool ntacl get'. > > > > ...and you must start with a clean state, iow a share basedirectory > > that doesn't have any POSIX ACEs, just root:Domain Users 0777 or > > similar. "ignore systems acls" only implies Samba will not attempt > > itself to map the NT ACL to a POSIX ACL and apply in on disk. It > > doesn't apply that existing POSIX ACLs will be enforced by the > > kernel and inheritted by the kernel if applicable. > > > > Cheers! > > -slow > > > > > Hi folks, > > I setup a new share and tried to configure it. > > *Setup shared folder* > > * Create the folder /data/migrtest > * Set ownership to root:"Domain Admins" > * chmod 0770 migrtest > > > *smb.conf* > > [Migrtest] > > path = /data/migrtest > read only = no > acl_xattr:ignore system acls = yes > > Then smbcontrol smbd reload-config and smbcontrol winbind > reload-config > > *Windows Computer Management* > > * Starting Computer Management as Administrator > * Connecting to the server > * Selecting Shares and Properties of the share Migrtest > > > *Tab Security* > Owner: Administrator at private.talps > > -Permissions list- > root (Unix User\root)??? Full Control??? This folder only > Domain Admins (Private\Domain Admins)??? Read, write & Execute > This folder only > SYSTEM??? Full control??? This folder only > > If I click on OK, no complaints. But the share is not accessible by > any users, except for a Domain Admin user. Further, it is not > possible to change share permissions, e.g. add any users or groups. > No error message, but the changes will not persist > > Trying to change the permissions above to something more normal: > > * disable inheritance > * remove root > * change access for Domain Adminst to Full control and This folder, > subfolders and files > * change SYSTEM to Full Control and This, folder, subfolders and > files > * add testgroup Read & Execute and This folder, subfolders and files > > When clicking OK, the error message below pops up: > > An error occurred while applying security information to: > > \\linuxdev\Migrtest > > "Failed to enumerate objects in the container. Access is denied" > > > Setting up the share initially without acl_xattr:ignore system acls = > yes, and turning on acl_xattr:ignore system acls = yes? after > defining access permissions under the security tab seems to work. >It would, have you read this wiki page: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Where there is a blue information box that says this: If you set the shares permissions from Windows (The recommended way), you can add the line 'acl_xattr:ignore system acls = yes' to your share. If the line is added, Samba will ignore the standard Unix system ACL's (ugo). Once the line is added, running setfacl on the shares directory will not show any permission modifications you may have made from Windows. You must not add this line until you have set up the share permissions from Windows, otherwise you may find that you are denied permission to change the permissions from Windows.. Only add the line if you will only connect to share via Samba. Rowland
Ralph Boehme
2024-Jan-30 20:22 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
On 1/30/24 20:15, Peter Milesson via samba wrote:> *Setup shared folder* > > ?* Create the folder /data/migrtest > ?* Set ownership to root:"Domain Admins" > ?* chmod 0770 migrtestiirc this has to be 0777, otherwise the kernel gets in your way. You only want Samba to enforce permissions so you have to get the kernel filesystem permissions our of the way by goint with 0777. -slow -- SerNet Samba Team Lead https://samba.plus/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ SerNet Samba Support, Consulting and Development -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20240130/3f3b8c4d/OpenPGP_signature.sig>
Possibly Parallel Threads
- Behavior of acl_xattr:ignore system acls = yes on a share
- Behavior of acl_xattr:ignore system acls = yes on a share
- Behavior of acl_xattr:ignore system acls = yes on a share
- Behavior of acl_xattr:ignore system acls = yes on a share
- Behavior of acl_xattr:ignore system acls = yes on a share