After a decent amount of online searches, I am a little bit lost on the subject of Samba4 in AD mode and ACL's. Could anybody help with the following please: 1. Is it correct that my default ACL's are being ignored (new files created don't follow the default ACL's permissions of the parent folder) because "inherit permissions = " is set to No by default in smb.conf? 2. Is "inherit permissions = " still a valid option in smb.conf for Samba4 in AD mode, or has it been deprecated? 3. Does "inherit permissions = " have the same effect as clicking "Enable inheritance" button on the Windows side in the share settings?
On Fri, 5 May 2017 11:21:14 +0100 Sebastian Arcus via samba <samba at lists.samba.org> wrote:> After a decent amount of online searches, I am a little bit lost on > the subject of Samba4 in AD mode and ACL's. Could anybody help with > the following please: > > 1. Is it correct that my default ACL's are being ignored (new files > created don't follow the default ACL's permissions of the parent > folder) because "inherit permissions = " is set to No by default in > smb.conf? > > 2. Is "inherit permissions = " still a valid option in smb.conf for > Samba4 in AD mode, or has it been deprecated? > > 3. Does "inherit permissions = " have the same effect as clicking > "Enable inheritance" button on the Windows side in the share settings? > > >If you are using an AD DC as a fileserver, you do not add anything to the share other than the path and read only mode, you need to set the ACLs from windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
On 05/05/17 12:01, Rowland Penny via samba wrote:> On Fri, 5 May 2017 11:21:14 +0100 > Sebastian Arcus via samba <samba at lists.samba.org> wrote: > >> After a decent amount of online searches, I am a little bit lost on >> the subject of Samba4 in AD mode and ACL's. Could anybody help with >> the following please: >> >> 1. Is it correct that my default ACL's are being ignored (new files >> created don't follow the default ACL's permissions of the parent >> folder) because "inherit permissions = " is set to No by default in >> smb.conf? >> >> 2. Is "inherit permissions = " still a valid option in smb.conf for >> Samba4 in AD mode, or has it been deprecated? >> >> 3. Does "inherit permissions = " have the same effect as clicking >> "Enable inheritance" button on the Windows side in the share settings? >> >> >> > > If you are using an AD DC as a fileserver, you do not add anything to > the share other than the path and read only mode, you need to set the > ACLs from windows, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >Thank you for that. Where I got confused is that many howtos seem to suggest that ACL's can be managed either from the Windows side, or with setfacl on the Linux side. I noticed that if I have the following ACL's # file: VAT # owner: root # group: MYDOM\134domain\040users user::rwx group::rwx mask::rwx other::--- default:user::rwx default:group::rwx default:mask::rwx default:other::--- The inheritance doesn't work correctly, in spite of the default ACL's. It seems that it only works correctly if there is an explicit default ACL for "Domain Users" - in spite of the fact that the "Domain Users" is the owning group, and there is a default ACL for the owning group. Is this by design?
Apparently Analagous Threads
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- NT_STATUS_ACCESS_DENIED listing \* on Samba AD - out of the blue