Dale
2018-Dec-10 17:58 UTC
[Samba] Fwd: Extended acls with AD - problem with default/herited permissions
Edouard, These are the 4 available parameters containing the word "inherit". inherit acls (S) inherit owner (S) inherit permissions (S) map acl inherit (S) Would "inherit acls" work for you? Dale On 12/10/18 10:56 AM, Edouard Guigné via samba wrote:> Hello, > > I add to my previous mail, the only way i found to disable acl "Domain > Users" to be added is with : > > */inherit owner = yes/* > > This has the advantage to recopy exactly the default acl defined on > the parent folder. > But this has the disavantage to not show which user has created a > folder/file and the ownership. > > Does something like "inherit group owner = yes" exist ? > chmod g+s has no effect on my configuration. > > Best Regards, > > EdG > > > > -------- Message transféré -------- > Sujet : Extended acls with AD - problem with default/herited > permissions > Date : Mon, 10 Dec 2018 10:47:20 -0300 > De : Edouard Guigné <eguigne at pasteur-cayenne.fr> > Pour : samba at lists.samba.org > > > > Hello, > > I set a share on a samba 4.7.1 as domain member with an Active > Directory controler, this share is used by all domain users. > > All users from the AD domain have a primary group "Domain Users", and > secondary groups to filter access on the folders of the share. > I noticed that when a user create a sub-folder/file inside a "Top > folder", the default permissions from the "Top folder" are well > herited, but the acl "Domain Users" is always added. > > I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about this. > So I made a test with "acl_xattr:ignore system acls = yes" in my > smb.conf ; but it seems to disable extended acl to some folders... > This is not a solution. > > I tried also chmod g+s on "Top folders", but other acl "Domain Users" > is still added. > > I think something is bad in my smb.cfg, below is the result of testparm : > > # Global parameters > [global] > client max protocol = SMB3 > client min protocol = SMB2 > client signing = required > disable spoolss = Yes > domain master = No > kerberos method = secrets and keytab > load printers = No > local master = No > log file = /var/log/samba/%m.log > name resolve order = wins bcast host lmhosts > preferred master = No > printcap name = /dev/null > realm = IPGAD.PASTEUR-CAYENNE.FR > security = ADS > server signing = required > winbind nss info = rfc2307 > workgroup = IPGAD > idmap config ipgad : unix_primary_group = yes > idmap config ipgad : unix_nss_info = yes > idmap config ipgad : range = 1-14999 > idmap config ipgad : schema_mode = rfc2307 > idmap config ipgad : backend = ad > idmap config * : range = 15000-99999 > idmap config * : backend = tdb > cups options = raw > hosts allow = 127. 10.9.8. > hosts deny = 10.9.9. > map acl inherit = Yes > store dos attributes = Yes > use sendfile = Yes > vfs objects = acl_xattr > > > [groups] > comment = jaguar2 > path = /var/datashared > read only = No > valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR" > vfs objects = acl_xattr streams_xattr shadow_copy2 > shadow:format = daily_%Y.%m.%d-%H.%M.%S > shadow:localtime = yes > shadow:sort = desc > shadow:basedir = /var/datashared > shadow:snapdir = /data/datashared/snapshots > > > [homes] > browseable = No > comment = Home Directories > create mask = 0700 > directory mask = 0700 > hide files = /~*.tmp/profile/desktop.ini/~$*/ > path = /home > read only = No > valid users = "@utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR" > > May you help me to understand/solve the situation ? > > EdG >
Edouard Guigné
2018-Dec-10 18:29 UTC
[Samba] Fwd: Extended acls with AD - problem with default/herited permissions
Hello Dale, I set map acl inherit = yes in global parameters of smb.conf and set inherit owner = yes locally to my share "groups" of smb.conf I have followed the wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It is indicated : "To configure shares using extended access control lists (ACL), you must enable the support in the |smb.conf| file. To enable extended ACL support globally, add the following settings to the |[global]| section of your |smb.conf| file: vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes" Do you mean I should try to add : inherit acls = yes locally to my share "groups" ? Should I remove map acl inherit = yes from global parameters of smb.conf ? Edouard Le 10/12/2018 à 14:58, Dale a écrit :> Edouard, > > These are the 4 available parameters containing the word "inherit". > > inherit acls (S) > inherit owner (S) > inherit permissions (S) > map acl inherit (S) > > > Would "inherit acls" work for you? > > Dale > > > On 12/10/18 10:56 AM, Edouard Guigné via samba wrote: >> Hello, >> >> I add to my previous mail, the only way i found to disable acl >> "Domain Users" to be added is with : >> >> */inherit owner = yes/* >> >> This has the advantage to recopy exactly the default acl defined on >> the parent folder. >> But this has the disavantage to not show which user has created a >> folder/file and the ownership. >> >> Does something like "inherit group owner = yes" exist ? >> chmod g+s has no effect on my configuration. >> >> Best Regards, >> >> EdG >> >> >> >> -------- Message transféré -------- >> Sujet : Extended acls with AD - problem with default/herited >> permissions >> Date : Mon, 10 Dec 2018 10:47:20 -0300 >> De : Edouard Guigné <eguigne at pasteur-cayenne.fr> >> Pour : samba at lists.samba.org >> >> >> >> Hello, >> >> I set a share on a samba 4.7.1 as domain member with an Active >> Directory controler, this share is used by all domain users. >> >> All users from the AD domain have a primary group "Domain Users", and >> secondary groups to filter access on the folders of the share. >> I noticed that when a user create a sub-folder/file inside a "Top >> folder", the default permissions from the "Top folder" are well >> herited, but the acl "Domain Users" is always added. >> >> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about >> this. >> So I made a test with "acl_xattr:ignore system acls = yes" in my >> smb.conf ; but it seems to disable extended acl to some folders... >> This is not a solution. >> >> I tried also chmod g+s on "Top folders", but other acl "Domain Users" >> is still added. >> >> I think something is bad in my smb.cfg, below is the result of >> testparm : >> >> # Global parameters >> [global] >> client max protocol = SMB3 >> client min protocol = SMB2 >> client signing = required >> disable spoolss = Yes >> domain master = No >> kerberos method = secrets and keytab >> load printers = No >> local master = No >> log file = /var/log/samba/%m.log >> name resolve order = wins bcast host lmhosts >> preferred master = No >> printcap name = /dev/null >> realm = IPGAD.PASTEUR-CAYENNE.FR >> security = ADS >> server signing = required >> winbind nss info = rfc2307 >> workgroup = IPGAD >> idmap config ipgad : unix_primary_group = yes >> idmap config ipgad : unix_nss_info = yes >> idmap config ipgad : range = 1-14999 >> idmap config ipgad : schema_mode = rfc2307 >> idmap config ipgad : backend = ad >> idmap config * : range = 15000-99999 >> idmap config * : backend = tdb >> cups options = raw >> hosts allow = 127. 10.9.8. >> hosts deny = 10.9.9. >> map acl inherit = Yes >> store dos attributes = Yes >> use sendfile = Yes >> vfs objects = acl_xattr >> >> >> [groups] >> comment = jaguar2 >> path = /var/datashared >> read only = No >> valid users = "@utilisateurs du >> domaine at IPGAD.PASTEUR-CAYENNE.FR" >> vfs objects = acl_xattr streams_xattr shadow_copy2 >> shadow:format = daily_%Y.%m.%d-%H.%M.%S >> shadow:localtime = yes >> shadow:sort = desc >> shadow:basedir = /var/datashared >> shadow:snapdir = /data/datashared/snapshots >> >> >> [homes] >> browseable = No >> comment = Home Directories >> create mask = 0700 >> directory mask = 0700 >> hide files = /~*.tmp/profile/desktop.ini/~$*/ >> path = /home >> read only = No >> valid users = "@utilisateurs du >> domaine at IPGAD.PASTEUR-CAYENNE.FR" >> >> May you help me to understand/solve the situation ? >> >> EdG >> > >
Edouard Guigné
2018-Dec-10 18:40 UTC
[Samba] Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
Hello Dale, Set inherit acls = yes locally to my share groups, and remove map acl inherit = yes from global parameters of smb.conf does not solve my issue. I still have acl "Domain Users" added to new folders/files. As i write in my previous email, the only way i found to disable acl "Domain Users" to be added was with : inherit owner = yes With some disavantages for users (not see the ownership of a file, etc.) I do not know where I can looking for... Edouard -------- Message transféré -------- Sujet : Re: [Samba] Fwd: Extended acls with AD - problem with default/herited permissions Date : Mon, 10 Dec 2018 15:29:42 -0300 De : Edouard Guigné <eguigne at pasteur-cayenne.fr> Pour : Dale <samba at txschroeder.family> Copie à : samba at lists.samba.org Hello Dale, I set map acl inherit = yes in global parameters of smb.conf and set inherit owner = yes locally to my share "groups" of smb.conf I have followed the wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It is indicated : "To configure shares using extended access control lists (ACL), you must enable the support in the |smb.conf| file. To enable extended ACL support globally, add the following settings to the |[global]| section of your |smb.conf| file: vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes" Do you mean I should try to add : inherit acls = yes locally to my share "groups" ? Should I remove map acl inherit = yes from global parameters of smb.conf ? Edouard Le 10/12/2018 à 14:58, Dale a écrit :> Edouard, > > These are the 4 available parameters containing the word "inherit". > > inherit acls (S) > inherit owner (S) > inherit permissions (S) > map acl inherit (S) > > > Would "inherit acls" work for you? > > Dale > > > On 12/10/18 10:56 AM, Edouard Guigné via samba wrote: >> Hello, >> >> I add to my previous mail, the only way i found to disable acl >> "Domain Users" to be added is with : >> >> */inherit owner = yes/* >> >> This has the advantage to recopy exactly the default acl defined on >> the parent folder. >> But this has the disavantage to not show which user has created a >> folder/file and the ownership. >> >> Does something like "inherit group owner = yes" exist ? >> chmod g+s has no effect on my configuration. >> >> Best Regards, >> >> EdG >> >> >> >> -------- Message transféré -------- >> Sujet : Extended acls with AD - problem with default/herited >> permissions >> Date : Mon, 10 Dec 2018 10:47:20 -0300 >> De : Edouard Guigné <eguigne at pasteur-cayenne.fr> >> Pour : samba at lists.samba.org >> >> >> >> Hello, >> >> I set a share on a samba 4.7.1 as domain member with an Active >> Directory controler, this share is used by all domain users. >> >> All users from the AD domain have a primary group "Domain Users", and >> secondary groups to filter access on the folders of the share. >> I noticed that when a user create a sub-folder/file inside a "Top >> folder", the default permissions from the "Top folder" are well >> herited, but the acl "Domain Users" is always added. >> >> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about >> this. >> So I made a test with "acl_xattr:ignore system acls = yes" in my >> smb.conf ; but it seems to disable extended acl to some folders... >> This is not a solution. >> >> I tried also chmod g+s on "Top folders", but other acl "Domain Users" >> is still added. >> >> I think something is bad in my smb.cfg, below is the result of >> testparm : >> >> # Global parameters >> [global] >> client max protocol = SMB3 >> client min protocol = SMB2 >> client signing = required >> disable spoolss = Yes >> domain master = No >> kerberos method = secrets and keytab >> load printers = No >> local master = No >> log file = /var/log/samba/%m.log >> name resolve order = wins bcast host lmhosts >> preferred master = No >> printcap name = /dev/null >> realm = IPGAD.PASTEUR-CAYENNE.FR >> security = ADS >> server signing = required >> winbind nss info = rfc2307 >> workgroup = IPGAD >> idmap config ipgad : unix_primary_group = yes >> idmap config ipgad : unix_nss_info = yes >> idmap config ipgad : range = 1-14999 >> idmap config ipgad : schema_mode = rfc2307 >> idmap config ipgad : backend = ad >> idmap config * : range = 15000-99999 >> idmap config * : backend = tdb >> cups options = raw >> hosts allow = 127. 10.9.8. >> hosts deny = 10.9.9. >> map acl inherit = Yes >> store dos attributes = Yes >> use sendfile = Yes >> vfs objects = acl_xattr >> >> >> [groups] >> comment = jaguar2 >> path = /var/datashared >> read only = No >> valid users = "@utilisateurs du >> domaine at IPGAD.PASTEUR-CAYENNE.FR" >> vfs objects = acl_xattr streams_xattr shadow_copy2 >> shadow:format = daily_%Y.%m.%d-%H.%M.%S >> shadow:localtime = yes >> shadow:sort = desc >> shadow:basedir = /var/datashared >> shadow:snapdir = /data/datashared/snapshots >> >> >> [homes] >> browseable = No >> comment = Home Directories >> create mask = 0700 >> directory mask = 0700 >> hide files = /~*.tmp/profile/desktop.ini/~$*/ >> path = /home >> read only = No >> valid users = "@utilisateurs du >> domaine at IPGAD.PASTEUR-CAYENNE.FR" >> >> May you help me to understand/solve the situation ? >> >> EdG >> > >
Possibly Parallel Threads
- Fwd: Extended acls with AD - problem with default/herited permissions
- Extended acls with AD - problem with default/herited permissions
- Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Extended acls with AD - problem with default/herited permissions