Lapin Blanc
2018-Apr-29 09:05 UTC
[Samba] no attributes after following "Setting up a Share Using Windows ACLs"
Hi, i have setup an ad dc with samba 4.8, and then rigorously followed wiki tutorial at : https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs However, when following the last part (File System ACLs in the Back End), I don't get the expected results : [root at mydc ~]# getfattr -d /srv/samba/Demo/ doesn't yield anything and getfacl /srv/samba/Demo/ getfacl : suppression du premier « / » des noms de chemins absolus # file: srv/samba/Demo/ # owner: root # group: SAMDOM\134domain\040admins user::rwx user:root:rwx user:3000004:rwx group::rwx group:users:rwx group:SAMDOM\134domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000004:rwx default:group::--- default:group:users:rwx default:group:SAMDOM\134domain\040admins:rwx default:mask::rwx default:other::--- Also, if I create a folder in the share after logging as a regular user : [root at mydc ~]# getfattr -d /srv/samba/Demo/Hello/ getfattr: Suppression des « / » en tête des chemins absolus # file: srv/samba/Demo/Hello/ user.DOSATTRIB=0sMHgxMAAAAwADAAAAEQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN/KVn2Y39MBAAAAAAAAAAA [root at mydc ~]# ls -al /srv/samba/Demo/ total 8 drwxrwx---+ 3 root SAMDOM\domain admins 19 29 avr 11:00 . drwxr-xr-x. 3 root root 18 29 avr 10:10 .. drwxrwx---+ 2 3000000 users 6 29 avr 11:00 Hello I don't know the consequences of those differences from a security point of view, why I have this DOSATTR instead of SAMBA_PAI...
Rowland Penny
2018-Apr-29 11:56 UTC
[Samba] no attributes after following "Setting up a Share Using Windows ACLs"
On Sun, 29 Apr 2018 11:05:16 +0200 Lapin Blanc via samba <samba at lists.samba.org> wrote:> Hi, i have setup an ad dc with samba 4.8, and then rigorously > followed wiki tutorial at : > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > However, when following the last part (File System ACLs in the Back > End), I don't get > the expected results : > > [root at mydc ~]# getfattr -d /srv/samba/Demo/ > doesn't yield anythingThere is very good reason why you didn't get anything ;-) The wiki page is wrong, it should be: getfattr -n security.NTACL -d /srv/samba/Demo/ Which should produce something like this: getfattr: Removing leading '/' from absolute path names # file: srv/samba/Demo/ security.NTACL=0sBAAEAAAAAgAEAAIAAQC4zK0lHchKFvwXwbPR/h8P8sXMj5dNIT5QQuWsYwO3RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEbGxuGu39MBuiZRk2pYxeL5ZWc4au0ikqRAk53MkjVd2b4quyk2WwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAASSVmaZneO8cxOHk/9AEAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAACAMQABwAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAAAAEAABAQAAAAAAAQAAAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT/0AQAAAAMkAL8BEwABBQAAAAAABRUAAABJJWZpmd47xzE4eT8BAgAA Which is as clear as mud, so to get it anywhere near readable, try this: samba-tool ntacl get /srv/samba/Demo --as-sddl Which will get you this: O:LAG:S-1-5-21-1768301897-3342589593-1064908849-2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x00100000;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;S-1-5-21-1768301897-3342589593-1064908849-2122)(A;;0x001f01ff;;;LA)(A;OICI;0x001301bf;;;DU) Rowland