A Samba server I've configured uses the VFS acl_xattr module to support Windows ACLs. I'd like to view the ACL data, in as raw a state as possible, but also in a human readable format. Is there an existing utility that does that? If not, and I need to write an application to accomplish it, which APIs would you recommend (and on which attributes)? Thanks,Steve Tice
On Tue, Mar 8, 2016 at 4:00 PM, Steve Tice <stic6021 at yahoo.com> wrote:> A Samba server I've configured uses the VFS acl_xattr module to support Windows ACLs. I'd like to view the ACL data, in as raw a state as possible, but also in a human readable format. Is there an existing utility that does that? If not, and I need to write an application to accomplish it, which APIs would you recommend (and on which attributes)?Steve, `smbcacls` dumps ACLs on a per file/directory basis and `rpcclient -c 'netshareenum 502' <server>` dumps security descriptors of a share. I've always felt that returning the RAW SD should be an option for the standard samba tools (for applications that need it). -aps
On 08/03/16 21:00, Steve Tice wrote:> A Samba server I've configured uses the VFS acl_xattr module to support Windows ACLs. I'd like to view the ACL data, in as raw a state as possible, but also in a human readable format. Is there an existing utility that does that? If not, and I need to write an application to accomplish it, which APIs would you recommend (and on which attributes)? > > Thanks,Steve TiceI take you are talking about share ACLs, if this is the case, then you may be talking about the acl tools 'setacl' & 'getacl' To get the ACLs on sysvol root at dc1:~# getfacl /usr/local/samba/var/locks/sysvol getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol # owner: root # group: BUILTIN\134administrators # flags: -s- user::rwx user:root:rwx user:BUILTIN\134administrators:rwx group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Is that what you require ? Rowland
> A Samba server I've configured uses the VFS acl_xattr module to support Windows ACLs. I'd like to view the ACL data, in as raw a state as possible, but also in a human readable format. Is there an existing utility that does that? If not, and I need to write an application to accomplish it, which APIs would you recommend (and on which attributes)?From the vfs_acl_xattr man page: The |vfs_acl_xattr| VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs). This enables the full mapping of Windows ACLs on Samba servers. The ACLs are stored in the Extended Attribute /|security.NTACL|/ of a file or directory. This Attribute is /not/ listed by |getfattr -d |filename||. To show the current value, the name of the EA must be specified (e.g. |getfattr -n security.NTACL |filename| |).
> A Samba server I've configured uses the VFS acl_xattr module to support Windows ACLs. I'd like to view the ACL data, in as raw a state as possible, but also in a human readable format. Is there an existing utility that does that? If not, and I need to write an application to accomplish it, which APIs would you recommend (and on which attributes)?From the vfs_acl_xattr man page: The |vfs_acl_xattr| VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs). This enables the full mapping of Windows ACLs on Samba servers. The ACLs are stored in the Extended Attribute /|security.NTACL|/ of a file or directory. This Attribute is /not/ listed by |getfattr -d |filename||. To show the current value, the name of the EA must be specified (e.g. |getfattr -n security.NTACL |filename| |).
Thanks for providing the rpcclient command - that's news to me. It turns out
the SD at the share level looks as expected. That's a good start. However,
some of the output from smbcacls includes surprises. For example, the value of
the record labeled "CONTROL" is not necessarily as expected - but
I'm guessing at the meaning of the acronyms in use (SR, PD, SI, DI, DP).
Does anyone know of documentation describing the output from smbcacls? If it can
be interpreted by studying some Microsoft documents, references to them would be
helpful.
I've also looked closely at the output from "getfattr -n security.NTACL
<some-directory>". In some cases, two directories on different Samba
servers can have identical getfattr output and different smbcacls output. That
probably means the output from sbmcacls depends on more than just the value
stored in security.NTACL. I'm working to identify missing puzzle pieces,
such as the role played by inheritance, and understand how
"security.NTACL" and that ACL's content as displayed by smbcacls
are related (and how they are unrelated). All insight is welcomed.
Steve
From: pisymbol . <pisymbol at gmail.com>
Steve, `smbcacls` dumps ACLs on a per file/directory basis and
`rpcclient -c 'netshareenum 502' <server>` dumps security
descriptors
of a share.
I've always felt that returning the RAW SD should be an option for the
standard samba tools (for applications that need it).
-aps
On Tue, Mar 08, 2016 at 09:00:24PM +0000, Steve Tice wrote:> A Samba server I've configured uses the VFS acl_xattr module to > support Windows ACLs. I'd like to view the ACL data, in as raw a > state as possible, but also in a human readable format.# samba-tool ntacl get PATH -Ralph -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de,mailto:kontakt at sernet.de