>> Side question: How is it even possible that Windows
"remembers" the
>> ACL it sets but it's not visible on Linux when using getfacl?
Windows ACLs are being stored in Extended Attributes using the acl_xattr vfs
module. Linux ACLs are not there because the line
acl_xattr:ignore system acls = yes
is telling Samba not to write them.
On 13 May 2018 21:25, Viktor Trojanovic via samba <samba at
lists.samba.org> wrote:>
> On 13 May 2018 at 21:17, Viktor Trojanovic <viktor at troja.ch>
wrote:
>
> > Hi Rowland,
> >
> > Thanks for replying again.
> >
> > On 13 May 2018 at 18:12, Rowland Penny via samba <samba at
lists.samba.org>
> > wrote:
> >
> >> On Sun, 13 May 2018 17:39:39 +0200
> >> Viktor Trojanovic via samba <samba at lists.samba.org>
wrote:
> >>
> >> [...]
> >>
> >> > username map = /etc/samba/samba_usermap
> >>
> >> What is in the 'samba_usermap' ?
> >>
> >
> > !root = SAMDOM\Administrator SAMDOM\administrator
> >
> >
> >>
> >> > [myshare]
> >> > path = /srv/samba/myshare
> >> > comment = "My Data"
> >> > guest ok = no
> >> > writeable = yes
> >> > create mask = 0666
> >> > directory mask = 0777
> >> > acl_xattr:ignore system acls = yes
> >>
> >> As you are trying to use Windows ACLs, you should follow the info
on
> >> the page you linked and stop getting creative ;-)
> >>
> >
> > Trust me, I have no intention of getting creative. This is how I set
up
> > the share a year or two ago and haven't changed it in the
meantime. It used
> > to work. Now all of a sudden something doesn't.
> >
> >
> >> Remove the 'guest ok' line, it is the default.
> >> Remove the two 'mask' lines, the last line is actually
telling Samba
> >> to ignore them.
> >>
> >
> > Yes, I read that, but didn't hurry to remove them as they
shouldn't hurt.
> > Will do so now, though.
> >
> >
> >>
> >> > Slightly off topic: Is my assumption correct that gidNumbers
and
> >> > uidNumbers do not need to be distinct between each other,
i.e. can a
> >> > user have the same number as uidNumber that a group has as
gidNumber?
> >>
> >> Yes, whilst every user must have a unique uidNumber and every
group
> >> must have a unique gidNumber, there is nothing stopping a user and
a
> >> group having the same number.
> >>
> >>
> > That's what I thought, thanks.
> >
> > Not knowing what else to try, I'll just go ahead and restart
everything
> > and see if this has any impact.
> >
>
> Restarting everything didn't help.
>
> Situation is as follows: I have the share "myshare" exactly as
described in
> smb.conf above. Within this share, from within Windows and as
> SAMDOM\Administrator, I'm creating a new folder. This new folder by
default
> only has permissions for "Domain Admins". So, still using
Windows, I'm
> changing the ACL and include "Domain Users", for example. This
group exists
> and has a unique gidNumber.
>
> $ getent group
> [...]
> domain users:x:10000:
> domain admins:x:10001:
> [...]
>
> I save this setting and Windows shows me that the group "Domain
Users" is
> permitted on the folder.
>
> Back to Linux, however, getfacl still shows only "Domain Admins".
>
> $ getfacl /srv/samba/myshare/Test/
> # file: Test/
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::---
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
>
> Side question: How is it even possible that Windows "remembers"
the ACL it
> sets but it's not visible on Linux when using getfacl?
>
> Anyway, hope someone can give me a helpful hint as to what I'm doing
wrong.
>
> Viktor
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
