My previous email on this topic get no answer, i try to explain me
better.
The problem.
Simply i was (ab)used, in my previous samba NT-mode domains, to have
file created with the group-owner as the UNIX primary group; now, in
AD, files get created group-owned by Windows primary group, eg 'Domain
Users'.
This simply 'breaks' most of my ACLs setup.
I've read:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
but still many things does not 'match' with my experience.
First, seems to me that there's no a 'black or white' things (eg:
POSIX
or Windows ACL) but still there's some 'gray zone' where things are
different. For example, in my main share i have (directly caming from
NT setup):
[Media]
comment = Contenuti Multimediali
map acl inherit = Yes
path = /srv/media
read only = No
store dos attributes = Yes
vfs objects = acl_xattr
volume = Media
so my setup seems a 'Windows ACL', but still i have 'CREATOR
OWNER' and
'CREATOR GROUP'.
Second, in intimacy with the first, seems to me that the real
differences between 'POSIX' and 'Windows' ACL is not only
'acl_xattr'
module, but also how ACL are sytetized, eg 'acl_xattr:default acl
style' and/or 'acl_xattr:ignore system acls'.
So, AFAI've understood, at least three options exist:
a) POSIX-only, eg vfs objects 'acl_xattr' NOT loaded.
b) Windows-only, eg:
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = windows
c) 'gray zone': samba (try to) synthetize windows ACL in POSIX ACL, as
a best effort: vfs objects 'acl_xattr' loaded, but default ACL style
to posix.
So, caming back to my 'problem' (eg: prevent new file/folder created be
group-owned by 'Domain Users'), seems to me i have only two way to
solve that:
1) switch to windows only ACL, so i don't have 'CREATOR GROUP'; i
have
also some Linux workstation, i'm a bit 'scared' of this...
2) set 'SGID' bit on directory, so files get created 'parent dir
owned'
and not 'primary group owned'.
I'm totally wrong? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 05/02/2020 11:39, Marco Gaiarin via samba wrote:> My previous email on this topic get no answer, i try to explain me > better. > > > The problem. > > Simply i was (ab)used, in my previous samba NT-mode domains, to have > file created with the group-owner as the UNIX primary group; now, in > AD, files get created group-owned by Windows primary group, eg 'Domain > Users'. > This simply 'breaks' most of my ACLs setup. > > > I've read: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > but still many things does not 'match' with my experience. > > > First, seems to me that there's no a 'black or white' things (eg: POSIX > or Windows ACL) but still there's some 'gray zone' where things are > different. For example, in my main share i have (directly caming from > NT setup): > > [Media] > comment = Contenuti Multimediali > map acl inherit = Yes > path = /srv/media > read only = No > store dos attributes = Yes > vfs objects = acl_xattr > volume = Media > > so my setup seems a 'Windows ACL', but still i have 'CREATOR OWNER' and > 'CREATOR GROUP'. > > > Second, in intimacy with the first, seems to me that the real > differences between 'POSIX' and 'Windows' ACL is not only 'acl_xattr' > module, but also how ACL are sytetized, eg 'acl_xattr:default acl > style' and/or 'acl_xattr:ignore system acls'. > > > So, AFAI've understood, at least three options exist: > > a) POSIX-only, eg vfs objects 'acl_xattr' NOT loaded. > > b) Windows-only, eg: > vfs objects = acl_xattr > acl_xattr:ignore system acls = yes > acl_xattr:default acl style = windows > > c) 'gray zone': samba (try to) synthetize windows ACL in POSIX ACL, as > a best effort: vfs objects 'acl_xattr' loaded, but default ACL style > to posix. > > > So, caming back to my 'problem' (eg: prevent new file/folder created be > group-owned by 'Domain Users'), seems to me i have only two way to > solve that: > > 1) switch to windows only ACL, so i don't have 'CREATOR GROUP'; i have > also some Linux workstation, i'm a bit 'scared' of this... > > 2) set 'SGID' bit on directory, so files get created 'parent dir owned' > and not 'primary group owned'. > > > I'm totally wrong? Thanks. >Do you have ANY Windows clients ? If the answer is yes, then you need to follow the 'Setting up a share using windows ACLs' page and make your Linux clients work with this. If the answer is no, then you can follow the POSIX ACLs page. Do not try to mix the two. Rowland
> 2) set 'SGID' bit on directory, so files get created 'parent dir owned' > and not 'primary group owned'.Do some more tests on this. If 'vfs objects = acl_xattr' on share, 'sgid' seems ignored, folders still created with windows primary group ('domain users'). If i remove it, and i add: map acl inherit = yes inherit permissions = yes there's no need to set SGID bit, files get created with correct permissions (base and ACL of the parent dir) and with correct owner (UNIX primary group). -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 05/02/2020 12:02, Marco Gaiarin via samba wrote:>> 2) set 'SGID' bit on directory, so files get created 'parent dir owned' >> and not 'primary group owned'. > Do some more tests on this. > > If 'vfs objects = acl_xattr' on share, 'sgid' seems ignored, folders > still created with windows primary group ('domain users'). > > > If i remove it, and i add: > > map acl inherit = yes > inherit permissions = yes > > there's no need to set SGID bit, files get created with correct > permissions (base and ACL of the parent dir) and with correct owner > (UNIX primary group). >I will ask this in a way that can only be answered with one word, 'yes' or 'no': Do you have ANY Windows clients ? Rowland
Mandi! Rowland penny via samba In chel di` si favelave...> Do you have ANY Windows clients ?Sure! Most of my clients are windows.> If the answer is yes, then you need to follow the 'Setting up a share using > windows ACLs' page and make your Linux clients work with this. > If the answer is no, then you can follow the POSIX ACLs page. > Do not try to mix the two.Rowland, i'm simply trying to understand, or better, trying to match my experience with Samba in NT mode with AD mode. In these years seems i've sticked with 'POSIX ACLs', building around policy and scrpts to manage ACLs, so probably it is better to keep at it (for me, of course). And my Windows client works happily! Also, for the tests i've done, 'windows ACL' works as depicted on the wiki page if and only if you set also: acl_xattr:ignore system acls = yes acl_xattr:default acl style = windows FYI. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)