Matthias Leopold
2019-Oct-14 13:53 UTC
[Samba] "ea support = yes" and "map acl inherit = yes"
Hi, I'm running Samba 4.8 servers with Windows ACL enabled shares (following https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs). This manual demands to set map acl inherit = yes store dos attributes = yes and requires extended attribute support from the share file system. So far, so good. Now I shall upgrade to CentOS 7.7 which brings Samba 4.9 which changes "ea support" parameter default "yes". I don't know how this relates to the above parameters. For "store dos attributes" man smb.conf says "This extended attribute is explicitly hidden from smbd clients requesting an EA list". What about "map acl inherit" and user.SAMBA_PAI? Is it safe to have "ea support = yes" and and "map acl inherit = yes"? What are the benefits? thanks Matthias
Rowland penny
2019-Oct-14 14:28 UTC
[Samba] "ea support = yes" and "map acl inherit = yes"
On 14/10/2019 14:53, Matthias Leopold via samba wrote:> Hi, > > I'm running Samba 4.8 servers with Windows ACL enabled shares > (following > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs). > This manual demands to set > > map acl inherit = yes > store dos attributes = yes > > and requires extended attribute support from the share file system. So > far, so good. Now I shall upgrade to CentOS 7.7 which brings Samba 4.9 > which changes "ea support" parameter default "yes". I don't know how > this relates to the above parameters.Not much, it just means that you do not really need to have 'store dos attributes = yes' in smb.conf, but it will not harm anything if it is there.> > For "store dos attributes" man smb.conf says "This extended attribute > is explicitly hidden from smbd clients requesting an EA list". What > about "map acl inherit" and user.SAMBA_PAI? Is it safe to have "ea > support = yes" and and "map acl inherit = yes"? What are the benefits?You still need 'map acl inherit' but do not need 'ea support = yes' and the Windows permissions are stored in an EA called 'security.NTACL' You can read this with: getfattr -n security.NTACL -d /path/to/share/directory Rowland