Rowland penny
2021-Feb-26 10:28 UTC
[Samba] Any drawback in changing primary group of domain users ?
On 26/02/2021 09:41, Roy Eastwood via samba wrote:> @Rowland I think the OP's problems stem from the fact that both POSIX ACLs and Windows ACLs are in play.On the wikipage: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It says this: Do not set ANY additional share parameters, such as force user or valid users. Adding them to the share definition can prevent you from configuring or using the share. However, there isn't anything on the POSIX wikipage: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs> I have scanned the WiKi and can find no reference to adding the line: > acl_xattr:ignore system acl = yes > to either the share share definition or the global section of smb.conf when using Windows ACLs.Using that setting only really makes sense if you are using Windows ACL's, because you want to use the system acl's if using setfacl. Whichever method you use, Windows or POSIX ACL's, you should not mix them. Either set the permissions from Windows or on the Samba server using setfacl. Rowland> Is it worth making this clear by adding it to the https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > page? > > Roy
Roy Eastwood
2021-Feb-26 12:55 UTC
[Samba] Any drawback in changing primary group of domain users ?
On 26 February 2021 10:28 Rowland penny wrote:> On 26/02/2021 09:41, Roy Eastwood via samba wrote: > > @Rowland I think the OP's problems stem from the fact that both POSIX ACLs > and Windows ACLs are in play. > > > On the wikipage: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > It says this: > > Do not set ANY additional share parameters, such as force user or valid > users. Adding them to the share definition can prevent you from > configuring or using the share. > > However, there isn't anything on the POSIX wikipage: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs > > > I have scanned the WiKi and can find no reference to adding the line: > > acl_xattr:ignore system acl = yes > > to either the share share definition or the global section of smb.conf when > using Windows ACLs. > > > Using that setting only really makes sense if you are using Windows > ACL's, because you want to use the system acl's if using setfacl. > Whichever method you use, Windows or POSIX ACL's, you should not mix > them. Either set the permissions from Windows or on the Samba server > using setfacl. > > RowlandThanks Rowland. I have obviously misunderstood the effect of "acl_xattr:ignore system acl = yes" in smb.conf. The reason that I have added it to my smb.conf is that when the home folder path is added to ADUC, the user's home folder is automatically created like this as seen from linux: drwxrwx---+ 1 roy domain users 0 Feb 26 12:38 test1 So I thought that other domain users would be able to access test1's folder. But I have now done some more tests and find that other domain users have permission denied if they try to access the folder irrespective of whether the above entry is in smb.conf or not. So what does this parameter do? Ignore any settings made with setfacl? Seems to ignore the standard 'unix' permisssions by default. Regards, Roy