Hello samba team ! On my network, I mainly manage my AD users and computers from Unix using shell scripts. So I would like to set the shares' ACLs directly from the DC with the POSIX setfacl command. When exporting with NFSv4, the POSIX ACLs are conserved. I can set the permissions the same manner as for my local users. But on DC, the "rwx" right is mapped to "full control" so my users can delete some directories even if they are not the owner. And It seems that the samba option "acl map full control = false" does not works on DC. It this a way to make a SMB share POSIX conservative on DC ? Maybe I need to set some "xattrs" ? Detailled description : -------------------------------- I have a base folder with the following right : /basedir owner : root (rwx) group : basegroup (r-x) ACL: -> group : supgroup (r-x) Containing a directory : /basedir/dirA owner : root (rwx) group : basegroup (r-x) ACL: -> group : supgroup (rwx) So the user in "basegroup" can access the tree and "supgroup" can write inside the dirA folder. But from windows with SMB, the basegroup can delete the dirA directory and I don't what that ! Can someone help me ? Baptiste.
Hello Baptiste, Am 03.11.2015 um 16:00 schrieb Prunk Dump:> On my network, I mainly manage my AD users and computers from Unix > using shell scripts. So I would like to set the shares' ACLs directly > from the DC with the POSIX setfacl command. > > When exporting with NFSv4, the POSIX ACLs are conserved. I can set the > permissions the same manner as for my local users. > > But on DC, the "rwx" right is mapped to "full control" so my users can > delete some directories even if they are not the owner. And It seems > that the samba option "acl map full control = false" does not works on > DC. > > It this a way to make a SMB share POSIX conservative on DC ? Maybe I > need to set some "xattrs" ?DCs have hard-coded globally enabled stuff that is required for shares with Windows ACLs (https://wiki.samba.org/index.php/Shares_with_Windows_ACLs). As far as I know, you can't disable it for some shares. You might think about setting up a domain member to provide shares with POSIX ACLs. Regards, Marc
Maybe Matching Threads
- config.c32 fails in 5.00pre11
- [Bug 1791] New: using --delete with single directory mirroring doesn't delete files
- --delete and explicitly listed files
- mount.cifs is not working (smbclient does work), somekind of recursive content in mount-dir
- Keeping File Trees in Sync