On Tue, 20 Feb 2018 16:47:25 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> Hmm, bit of a catch 22 situation here, to use members of 'Domain
> Admins' to set the ACLs on a share directory, the group for the share
> directory must be 'Domain Admins', but if you tell Samba to ignore
the
> system acls, then 'Domain Admins' will not have permission on the
> share.
>
> I have never used 'acl_xattr:ignore system acls = yes' myself, so I
> don't know of a workaround, I have ideas, so I will go and test them.
>
> Watch this space ;-)
>
> Rowland
>
>
OK, fired up a Win7 VM and tried to add users to a share.
First the good news, it doesn't matter if 'acl_xattr:ignore system acls
= yes' is set or not.
Now the bad news, it didn't work on a share that didn't have
'acl_xattr:ignore system acls = yes' at first. I traced this down to a
permissions problem.
I ran: ls -lad /home/testdata
Which returned this:
drwxrwx---+ 2 root unix admins 4096 Jan 26 14:27 /home/testdata
So, on the face of it, members of 'unix admins' should be able to write
to the share. NOTE: I use Unix Admins instead of Domain Admins
Well they couldn't ;-)
I traced this to:
getfacl /home/testdata
Which produced this:
getfacl: Removing leading '/' from absolute path names
# file: home/testdata
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
user:rowland:r-x
group::---
group:root:---
group:2004:r-x
group:2005:rwx
group:unix\040admins:---
........
According to getfacl 'unix admins' has NO permissions
To fix this, I ran:
setfacl -m g:'unix admins':rwx /home/testdata
Refreshed the computer in windows 'Computer Management' and I could
then manage the share from windows.
Added 'acl_xattr:ignore system acls = yes' to the share in smb.conf,
reloaded the Samba config and it still worked.
Rowland