On Wed, May 13, 2015 at 1:20 PM, Klaus Hartnegg <hartnegg at uni-freiburg.de> wrote:> Am 13.05.2015 um 17:30 schrieb S?bastien Le Ray: > >> No they aren't >>> >> >> Yes they are >> > > Not sure about this, but mostly irrelevant anyway, because of this effect > in the other direction: > > If you have set Windows ACLs, and then change unix permissions or acls, > this will destroy the Windows ACLs. Changing owner or group from within > Linux also has this side effect. For this reason it is better to use only > Linux permissions (mode bits and acls), or only Windows ACLs, but not try > to mix both. > >Hello Klaus, This is one of the concerns I am trying to determine. It does seem like it is difficult to keep both acl systems functioning together, and simply not optimal to do so. Using Rowland Penny's earlier example, I can see how a sysadmin can easily create conflicting permissions amongst multiple users, groups, and then OS acl types too.
Am 13.05.2015 um 19:53 schrieb Mike:> On Wed, May 13, 2015 at 1:20 PM, Klaus Hartnegg <hartnegg at uni-freiburg.de> > wrote: > >> Am 13.05.2015 um 17:30 schrieb S?bastien Le Ray: >> >>> No they aren't >>> >>> Yes they areYes indeed, Samba adjusts the Linux acls to match the Windows ACLs (as well as Linux acls can).> Using Rowland Penny's earlier example, I can see how a sysadmin can easily > create conflicting permissions amongst multiple users, groups, and then OS > acl types too.Not sure which email you mean. I don't think that this can happen. If the Linux acls are modified, the Windows ACLs are destroyed and all is based on the Linux permissions and acls (which looks strange when viewed from Window). If the Windows ACLs are modified, Samba automatically adjusts the Linux acls accordingly. They should always be in sync.
On Fri, May 15, 2015 at 4:37 AM, Klaus Hartnegg <hartnegg at uni-freiburg.de> wrote:> Not sure which email you mean. I don't think that this can happen. If the > Linux acls are modified, the Windows ACLs are destroyed and all is based on > the Linux permissions and acls (which looks strange when viewed from > Window). If the Windows ACLs are modified, Samba automatically adjusts the > Linux acls accordingly. They should always be in sync. >Klaus, I think my test demonstrated what you are saying. I changed a share's permissions from root:root rwxrwxrwx to root:root rwxrwx--- And then the windows AD Administrator account was no longer able to access the share. If I made a linux user account on the server called "Administrator" and did: setfacl -R -m -u:Administrator:rwx /mnt/data then the Administrator would be configured using posix acl's for access to the share. I guess the moral of the story: if you don't want to setup AD domain users with linux user accounts on the server, and are serving shares only to windows clients - DON'T touch posix permissions or acl's. Use Microsoft ADUC and Samba4 will interpret/provide the acl settings to the linux filesystem. Is that close to correct?