Edouard Guigné
2018-Dec-10 18:40 UTC
[Samba] Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
Hello Dale, Set inherit acls = yes locally to my share groups, and remove map acl inherit = yes from global parameters of smb.conf does not solve my issue. I still have acl "Domain Users" added to new folders/files. As i write in my previous email, the only way i found to disable acl "Domain Users" to be added was with : inherit owner = yes With some disavantages for users (not see the ownership of a file, etc.) I do not know where I can looking for... Edouard -------- Message transféré -------- Sujet : Re: [Samba] Fwd: Extended acls with AD - problem with default/herited permissions Date : Mon, 10 Dec 2018 15:29:42 -0300 De : Edouard Guigné <eguigne at pasteur-cayenne.fr> Pour : Dale <samba at txschroeder.family> Copie à : samba at lists.samba.org Hello Dale, I set map acl inherit = yes in global parameters of smb.conf and set inherit owner = yes locally to my share "groups" of smb.conf I have followed the wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It is indicated : "To configure shares using extended access control lists (ACL), you must enable the support in the |smb.conf| file. To enable extended ACL support globally, add the following settings to the |[global]| section of your |smb.conf| file: vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes" Do you mean I should try to add : inherit acls = yes locally to my share "groups" ? Should I remove map acl inherit = yes from global parameters of smb.conf ? Edouard Le 10/12/2018 à 14:58, Dale a écrit :> Edouard, > > These are the 4 available parameters containing the word "inherit". > > inherit acls (S) > inherit owner (S) > inherit permissions (S) > map acl inherit (S) > > > Would "inherit acls" work for you? > > Dale > > > On 12/10/18 10:56 AM, Edouard Guigné via samba wrote: >> Hello, >> >> I add to my previous mail, the only way i found to disable acl >> "Domain Users" to be added is with : >> >> */inherit owner = yes/* >> >> This has the advantage to recopy exactly the default acl defined on >> the parent folder. >> But this has the disavantage to not show which user has created a >> folder/file and the ownership. >> >> Does something like "inherit group owner = yes" exist ? >> chmod g+s has no effect on my configuration. >> >> Best Regards, >> >> EdG >> >> >> >> -------- Message transféré -------- >> Sujet : Extended acls with AD - problem with default/herited >> permissions >> Date : Mon, 10 Dec 2018 10:47:20 -0300 >> De : Edouard Guigné <eguigne at pasteur-cayenne.fr> >> Pour : samba at lists.samba.org >> >> >> >> Hello, >> >> I set a share on a samba 4.7.1 as domain member with an Active >> Directory controler, this share is used by all domain users. >> >> All users from the AD domain have a primary group "Domain Users", and >> secondary groups to filter access on the folders of the share. >> I noticed that when a user create a sub-folder/file inside a "Top >> folder", the default permissions from the "Top folder" are well >> herited, but the acl "Domain Users" is always added. >> >> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about >> this. >> So I made a test with "acl_xattr:ignore system acls = yes" in my >> smb.conf ; but it seems to disable extended acl to some folders... >> This is not a solution. >> >> I tried also chmod g+s on "Top folders", but other acl "Domain Users" >> is still added. >> >> I think something is bad in my smb.cfg, below is the result of >> testparm : >> >> # Global parameters >> [global] >> client max protocol = SMB3 >> client min protocol = SMB2 >> client signing = required >> disable spoolss = Yes >> domain master = No >> kerberos method = secrets and keytab >> load printers = No >> local master = No >> log file = /var/log/samba/%m.log >> name resolve order = wins bcast host lmhosts >> preferred master = No >> printcap name = /dev/null >> realm = IPGAD.PASTEUR-CAYENNE.FR >> security = ADS >> server signing = required >> winbind nss info = rfc2307 >> workgroup = IPGAD >> idmap config ipgad : unix_primary_group = yes >> idmap config ipgad : unix_nss_info = yes >> idmap config ipgad : range = 1-14999 >> idmap config ipgad : schema_mode = rfc2307 >> idmap config ipgad : backend = ad >> idmap config * : range = 15000-99999 >> idmap config * : backend = tdb >> cups options = raw >> hosts allow = 127. 10.9.8. >> hosts deny = 10.9.9. >> map acl inherit = Yes >> store dos attributes = Yes >> use sendfile = Yes >> vfs objects = acl_xattr >> >> >> [groups] >> comment = jaguar2 >> path = /var/datashared >> read only = No >> valid users = "@utilisateurs du >> domaine at IPGAD.PASTEUR-CAYENNE.FR" >> vfs objects = acl_xattr streams_xattr shadow_copy2 >> shadow:format = daily_%Y.%m.%d-%H.%M.%S >> shadow:localtime = yes >> shadow:sort = desc >> shadow:basedir = /var/datashared >> shadow:snapdir = /data/datashared/snapshots >> >> >> [homes] >> browseable = No >> comment = Home Directories >> create mask = 0700 >> directory mask = 0700 >> hide files = /~*.tmp/profile/desktop.ini/~$*/ >> path = /home >> read only = No >> valid users = "@utilisateurs du >> domaine at IPGAD.PASTEUR-CAYENNE.FR" >> >> May you help me to understand/solve the situation ? >> >> EdG >> > >
Dale
2018-Dec-10 19:33 UTC
[Samba] Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
Edouard, No, that won't work for you. "inherit acls" is intended for posix ACL's. Since you are using Windows ACL's, try setting the permissions/inheritance you want from a Windows system. Dale On 12/10/18 12:40 PM, Edouard Guigné wrote:> > Hello Dale, > > Set inherit acls = yes locally to my share groups, and remove map acl > inherit = yes from global parameters of smb.conf does not solve my issue. > I still have acl "Domain Users" added to new folders/files. > > As i write in my previous email, the only way i found to disable acl > "Domain Users" to be added was with : > inherit owner = yes > > With some disavantages for users (not see the ownership of a file, etc.) > > I do not know where I can looking for... > > Edouard > > -------- Message transféré -------- > Sujet : Re: [Samba] Fwd: Extended acls with AD - problem with > default/herited permissions > Date : Mon, 10 Dec 2018 15:29:42 -0300 > De : Edouard Guigné <eguigne at pasteur-cayenne.fr> > Pour : Dale <samba at txschroeder.family> > Copie à : samba at lists.samba.org > > > > Hello Dale, > > I set map acl inherit = yes in global parameters of smb.conf > and set inherit owner = yes locally to my share "groups" of smb.conf > > I have followed the wiki > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > It is indicated : > "To configure shares using extended access control lists (ACL), you > must enable the support in the |smb.conf| file. To enable extended ACL > support globally, add the following settings to the |[global]| section > of your |smb.conf| file: > > vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes" > > Do you mean I should try to add : > inherit acls = yes locally to my share "groups" ? > > Should I remove map acl inherit = yes from global parameters of smb.conf ? > > > Edouard > > Le 10/12/2018 à 14:58, Dale a écrit : >> Edouard, >> >> These are the 4 available parameters containing the word "inherit". >> >> inherit acls (S) >> inherit owner (S) >> inherit permissions (S) >> map acl inherit (S) >> >> >> Would "inherit acls" work for you? >> >> Dale >> >> >> On 12/10/18 10:56 AM, Edouard Guigné via samba wrote: >>> Hello, >>> >>> I add to my previous mail, the only way i found to disable acl >>> "Domain Users" to be added is with : >>> >>> */inherit owner = yes/* >>> >>> This has the advantage to recopy exactly the default acl defined on >>> the parent folder. >>> But this has the disavantage to not show which user has created a >>> folder/file and the ownership. >>> >>> Does something like "inherit group owner = yes" exist ? >>> chmod g+s has no effect on my configuration. >>> >>> Best Regards, >>> >>> EdG >>> >>> >>> >>> -------- Message transféré -------- >>> Sujet : Extended acls with AD - problem with default/herited >>> permissions >>> Date : Mon, 10 Dec 2018 10:47:20 -0300 >>> De : Edouard Guigné <eguigne at pasteur-cayenne.fr> >>> Pour : samba at lists.samba.org >>> >>> >>> >>> Hello, >>> >>> I set a share on a samba 4.7.1 as domain member with an Active >>> Directory controler, this share is used by all domain users. >>> >>> All users from the AD domain have a primary group "Domain Users", >>> and secondary groups to filter access on the folders of the share. >>> I noticed that when a user create a sub-folder/file inside a "Top >>> folder", the default permissions from the "Top folder" are well >>> herited, but the acl "Domain Users" is always added. >>> >>> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about >>> this. >>> So I made a test with "acl_xattr:ignore system acls = yes" in my >>> smb.conf ; but it seems to disable extended acl to some folders... >>> This is not a solution. >>> >>> I tried also chmod g+s on "Top folders", but other acl "Domain >>> Users" is still added. >>> >>> I think something is bad in my smb.cfg, below is the result of >>> testparm : >>> >>> # Global parameters >>> [global] >>> client max protocol = SMB3 >>> client min protocol = SMB2 >>> client signing = required >>> disable spoolss = Yes >>> domain master = No >>> kerberos method = secrets and keytab >>> load printers = No >>> local master = No >>> log file = /var/log/samba/%m.log >>> name resolve order = wins bcast host lmhosts >>> preferred master = No >>> printcap name = /dev/null >>> realm = IPGAD.PASTEUR-CAYENNE.FR >>> security = ADS >>> server signing = required >>> winbind nss info = rfc2307 >>> workgroup = IPGAD >>> idmap config ipgad : unix_primary_group = yes >>> idmap config ipgad : unix_nss_info = yes >>> idmap config ipgad : range = 1-14999 >>> idmap config ipgad : schema_mode = rfc2307 >>> idmap config ipgad : backend = ad >>> idmap config * : range = 15000-99999 >>> idmap config * : backend = tdb >>> cups options = raw >>> hosts allow = 127. 10.9.8. >>> hosts deny = 10.9.9. >>> map acl inherit = Yes >>> store dos attributes = Yes >>> use sendfile = Yes >>> vfs objects = acl_xattr >>> >>> >>> [groups] >>> comment = jaguar2 >>> path = /var/datashared >>> read only = No >>> valid users = "@utilisateurs du >>> domaine at IPGAD.PASTEUR-CAYENNE.FR" >>> vfs objects = acl_xattr streams_xattr shadow_copy2 >>> shadow:format = daily_%Y.%m.%d-%H.%M.%S >>> shadow:localtime = yes >>> shadow:sort = desc >>> shadow:basedir = /var/datashared >>> shadow:snapdir = /data/datashared/snapshots >>> >>> >>> [homes] >>> browseable = No >>> comment = Home Directories >>> create mask = 0700 >>> directory mask = 0700 >>> hide files = /~*.tmp/profile/desktop.ini/~$*/ >>> path = /home >>> read only = No >>> valid users = "@utilisateurs du >>> domaine at IPGAD.PASTEUR-CAYENNE.FR" >>> >>> May you help me to understand/solve the situation ? >>> >>> EdG >>> >> >>
Edouard Guigné
2018-Dec-11 15:42 UTC
[Samba] Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
Hello Dale, Thank you, I set permissions/inheritance from a windows system, and now acl "Domain Users" are set to --- by default. With your help, I succeed to resolve my issue, and furthermore I can now see and correct some errors on the acls on the share. Many thanks, Edouard Le 10/12/2018 à 16:33, Dale a écrit :> Edouard, > > No, that won't work for you. "inherit acls" is intended for posix ACL's. > > Since you are using Windows ACL's, try setting the > permissions/inheritance you want from a Windows system. > > Dale > > > On 12/10/18 12:40 PM, Edouard Guigné wrote: >> >> Hello Dale, >> >> Set inherit acls = yes locally to my share groups, and remove map acl >> inherit = yes from global parameters of smb.conf does not solve my issue. >> I still have acl "Domain Users" added to new folders/files. >> >> As i write in my previous email, the only way i found to disable acl >> "Domain Users" to be added was with : >> inherit owner = yes >> >> With some disavantages for users (not see the ownership of a file, etc.) >> >> I do not know where I can looking for... >> >> Edouard >> >> -------- Message transféré -------- >> Sujet : Re: [Samba] Fwd: Extended acls with AD - problem with >> default/herited permissions >> Date : Mon, 10 Dec 2018 15:29:42 -0300 >> De : Edouard Guigné <eguigne at pasteur-cayenne.fr> >> Pour : Dale <samba at txschroeder.family> >> Copie à : samba at lists.samba.org >> >> >> >> Hello Dale, >> >> I set map acl inherit = yes in global parameters of smb.conf >> and set inherit owner = yes locally to my share "groups" of smb.conf >> >> I have followed the wiki >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> It is indicated : >> "To configure shares using extended access control lists (ACL), you >> must enable the support in the |smb.conf| file. To enable extended >> ACL support globally, add the following settings to the |[global]| >> section of your |smb.conf| file: >> >> vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes" >> >> Do you mean I should try to add : >> inherit acls = yes locally to my share "groups" ? >> >> Should I remove map acl inherit = yes from global parameters of >> smb.conf ? >> >> >> Edouard >> >> Le 10/12/2018 à 14:58, Dale a écrit : >>> Edouard, >>> >>> These are the 4 available parameters containing the word "inherit". >>> >>> inherit acls (S) >>> inherit owner (S) >>> inherit permissions (S) >>> map acl inherit (S) >>> >>> >>> Would "inherit acls" work for you? >>> >>> Dale >>> >>> >>> On 12/10/18 10:56 AM, Edouard Guigné via samba wrote: >>>> Hello, >>>> >>>> I add to my previous mail, the only way i found to disable acl >>>> "Domain Users" to be added is with : >>>> >>>> */inherit owner = yes/* >>>> >>>> This has the advantage to recopy exactly the default acl defined on >>>> the parent folder. >>>> But this has the disavantage to not show which user has created a >>>> folder/file and the ownership. >>>> >>>> Does something like "inherit group owner = yes" exist ? >>>> chmod g+s has no effect on my configuration. >>>> >>>> Best Regards, >>>> >>>> EdG >>>> >>>> >>>> >>>> -------- Message transféré -------- >>>> Sujet : Extended acls with AD - problem with default/herited >>>> permissions >>>> Date : Mon, 10 Dec 2018 10:47:20 -0300 >>>> De : Edouard Guigné <eguigne at pasteur-cayenne.fr> >>>> Pour : samba at lists.samba.org >>>> >>>> >>>> >>>> Hello, >>>> >>>> I set a share on a samba 4.7.1 as domain member with an Active >>>> Directory controler, this share is used by all domain users. >>>> >>>> All users from the AD domain have a primary group "Domain Users", >>>> and secondary groups to filter access on the folders of the share. >>>> I noticed that when a user create a sub-folder/file inside a "Top >>>> folder", the default permissions from the "Top folder" are well >>>> herited, but the acl "Domain Users" is always added. >>>> >>>> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about >>>> this. >>>> So I made a test with "acl_xattr:ignore system acls = yes" in my >>>> smb.conf ; but it seems to disable extended acl to some folders... >>>> This is not a solution. >>>> >>>> I tried also chmod g+s on "Top folders", but other acl "Domain >>>> Users" is still added. >>>> >>>> I think something is bad in my smb.cfg, below is the result of >>>> testparm : >>>> >>>> # Global parameters >>>> [global] >>>> client max protocol = SMB3 >>>> client min protocol = SMB2 >>>> client signing = required >>>> disable spoolss = Yes >>>> domain master = No >>>> kerberos method = secrets and keytab >>>> load printers = No >>>> local master = No >>>> log file = /var/log/samba/%m.log >>>> name resolve order = wins bcast host lmhosts >>>> preferred master = No >>>> printcap name = /dev/null >>>> realm = IPGAD.PASTEUR-CAYENNE.FR >>>> security = ADS >>>> server signing = required >>>> winbind nss info = rfc2307 >>>> workgroup = IPGAD >>>> idmap config ipgad : unix_primary_group = yes >>>> idmap config ipgad : unix_nss_info = yes >>>> idmap config ipgad : range = 1-14999 >>>> idmap config ipgad : schema_mode = rfc2307 >>>> idmap config ipgad : backend = ad >>>> idmap config * : range = 15000-99999 >>>> idmap config * : backend = tdb >>>> cups options = raw >>>> hosts allow = 127. 10.9.8. >>>> hosts deny = 10.9.9. >>>> map acl inherit = Yes >>>> store dos attributes = Yes >>>> use sendfile = Yes >>>> vfs objects = acl_xattr >>>> >>>> >>>> [groups] >>>> comment = jaguar2 >>>> path = /var/datashared >>>> read only = No >>>> valid users = "@utilisateurs du >>>> domaine at IPGAD.PASTEUR-CAYENNE.FR" >>>> vfs objects = acl_xattr streams_xattr shadow_copy2 >>>> shadow:format = daily_%Y.%m.%d-%H.%M.%S >>>> shadow:localtime = yes >>>> shadow:sort = desc >>>> shadow:basedir = /var/datashared >>>> shadow:snapdir = /data/datashared/snapshots >>>> >>>> >>>> [homes] >>>> browseable = No >>>> comment = Home Directories >>>> create mask = 0700 >>>> directory mask = 0700 >>>> hide files = /~*.tmp/profile/desktop.ini/~$*/ >>>> path = /home >>>> read only = No >>>> valid users = "@utilisateurs du >>>> domaine at IPGAD.PASTEUR-CAYENNE.FR" >>>> >>>> May you help me to understand/solve the situation ? >>>> >>>> EdG >>>> >>> >>> >
Apparently Analagous Threads
- Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Extended acls with AD - problem with default/herited permissions
- Fwd: Extended acls with AD - problem with default/herited permissions
- Extended acls with AD - problem with default/herited permissions