Roel van Meer
2015-Aug-10 16:39 UTC
[Samba] strange default share ACLS's, where do they come from?
Hi everyone,
I have a Samba 4.2.3 PDC server with some shares on it. If I create a new
share, it immediately has some strange ACL's. Could anyone tell me where
these come from?
Example:
root at corrumpeer:/# cat <<EOF>>/etc/samba/smb.conf
[test3]
path = /tmp/test3
EOF
root at corrumpeer:/# mkdir /tmp/test3
root at corrumpeer:/# chown root:users /tmp/test3
root at corrumpeer:/# chmod 0770 /tmp/test3
root at corrumpeer:/# smbcacls //corrumpeer/test3 \\ -Uadmin%password
REVISION:1
CONTROL:SR|DP
OWNER:Unix User\root
GROUP:BUILTIN\Users
ACL:Unix User\root:ALLOWED/0x0/FULL
ACL:BUILTIN\Users:ALLOWED/0x0/FULL
ACL:Everyone:ALLOWED/0x0/
ACL:S-1-5-88-3-16888:DENIED/0x0/
ACL:S-1-5-88-1-0:DENIED/0x0/
ACL:S-1-5-88-2-100:DENIED/0x0/
ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
ACL:Creator Group:ALLOWED/OI|CI|IO/FULL
ACL:Everyone:ALLOWED/OI|CI|IO/RWDPO
root at corrumpeer:/# getfattr -m '.*' /tmp/test3
<no output>
root at corrumpeer:/# getfattr -m '.*' /tmp
<no output>
root at corrumpeer:/# getfacl /tmp/test3
getfacl: Removing leading '/' from absolute path names
# file: tmp/test3
# owner: root
# group: users
user::rwx
group::rwx
other::---
root at corrumpeer:/# getfacl /tmp
getfacl: Removing leading '/' from absolute path names
# file: tmp
# owner: root
# group: root
# flags: --t
user::rwx
group::rwx
other::rwx
So no ACLS or extended attributes on the dir or the parent (or / for that
matter) but still smbcacls shows these strange ACL's.
I can use the computer management tool (per the wiki
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
)
to check the ACLs on the share and they are the same there. But where do
they come from? Is there a place where you can configure default ACL's for
new shares?
Thanks a lot,
Roel
/etc/samba/smb.comf:
[global]
workgroup = CUSTOMER
netbios name = CORRUMPEER
server string = corrumpeer
interfaces = 192.168.1.1/24 127.255.255.255/8
bind interfaces only = Yes
hosts allow = 192.168.1.0/255.255.255.0 127.0.0.1
max protocol = SMB3
log level = 1
log file = /var/log/samba/samba.log
max log size = 5000
syslog = No
domain logons = Yes
logon script = %U.bat
os level = 254
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
time server = Yes
name resolve order = host wins bcast
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=customer,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=customer,dc=net
ldap ssl = No
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config CUSTOMER : backend = rid
idmap config CUSTOMER : range = 10000-20000
idmap config CUSTOMER : base_rid = 0
printing = cups
min print space = 1000
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
vfs objects = acl_xattr fruit streams_xattr
acl allow execute always = Yes
acl group control = Yes
map acl inherit = Yes
store dos attributes = Yes
Maybe Matching Threads
- Setting ACLs with smbcacls fails (partly)
- Permissions incorrectly ordered on Windows after disabling inheritance
- explorer.exe crashes on security tab access
- smbcacls and inheritance does not work as expected
- SGI XFS 1.0.2a, ACLs and samba 2.2.3a with win2k perms
Wisdom of the Ancients
