Hello, I'd like to know if, when using acl_xattr to store Windows ACLs in the security.NTACL extended attribute, Samba knows to always to set the attribute within the "root" context, or will it attempt to do it in the (domain) user context that's requesting the change? As I understand it, on Linux only root is allowed to modify extended attributes in the "security" context. I'm asking because so far, with Samba 4.5.12, I've been unable to modify ACLs from a remote Windows client under any circumstance except when the domain user is mapped to root via "username map". Thanks, -- Jerome
Hai, Tip, think in groups not users when you setup/manage you servers, it will help. Now, root = Administrator user != Administrator but when you add a user as member of domain admins... because root = "Domain Admins" Read : https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Dont forget also the "Creator owner" and "Creator Group" settings. 1777, creator owner 2777, creator group 3777, both.. Change the 777's to what you need. That should help you. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jerome Charaoui via samba > Verzonden: vrijdag 7 december 2018 1:18 > Aan: samba at lists.samba.org > Onderwerp: [Samba] acl_xattr and root permissions > > Hello, > > I'd like to know if, when using acl_xattr to store Windows ACLs in the > security.NTACL extended attribute, Samba knows to always to set the > attribute within the "root" context, or will it attempt to do > it in the > (domain) user context that's requesting the change? > > As I understand it, on Linux only root is allowed to modify extended > attributes in the "security" context. > > I'm asking because so far, with Samba 4.5.12, I've been > unable to modify ACLs from a remote Windows client under any circumstance > except when the domain user is mapped to root via "username map". > > Thanks, > > -- Jerome > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, Dec 06, 2018 at 07:17:47PM -0500, Jerome Charaoui via samba wrote:> Hello, > > I'd like to know if, when using acl_xattr to store Windows ACLs in the > security.NTACL extended attribute, Samba knows to always to set the > attribute within the "root" context, or will it attempt to do it in the > (domain) user context that's requesting the change?Yes, smbd will always use the root context to write these attributes.
Le 18-12-07 à 03 h 28, L.P.H. van Belle via samba a écrit :> Hai, > > Tip, think in groups not users when you setup/manage you servers, it will help. > > Now, > root = Administrator > user != Administrator > > but when you add a user as member of domain admins... because root = "Domain Admins" > > Read : > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Dont forget also the "Creator owner" and "Creator Group" settings. > 1777, creator owner > 2777, creator group > 3777, both.. > > Change the 777's to what you need. > That should help you.Thanks, that certainly helped. By setting these setuid/setgid correctly and attributing the Unix to the domain user, I'm now able to modify ACLs via Windows clients without the username being mapped to root. -- Jerome