Hello Rowland, Le 28/02/2022 ? 18:01, Rowland Penny via samba a ?crit?:> Do you actually have that line as above ? > If so, it is wrong, it is missing an 's', it's 'acls', not 'acl' > > If you use that line (well, the correct one), the system acls (ugo) > will be ignored (never altered), that is why you do not get the '+' on > the end when you set the permissions from Windows, they are being > stored in an EA.I did more tests, and : If I put acl_xattr:ignore system acls = yes in my share, it "fails", the "+" isn't here and my Windows ACL not applied. But if I comment this line and then my share is only : [TEST] # acl_xattr:ignore system acl = yes path = /srv/samba/TEST/ read only = no Then all works fine, the "+" is back and I can config ACL with total success. I follow the wiki. My test lab : Win10 21H2 Windows server 2012R2 Domain member : debian11/ 4.14.12 (Louis) Cheers, -- Manu
On Mon, 2022-02-28 at 19:08 +0000, Manu Baylac via samba wrote:> Hello Rowland, > > > > I did more tests, and : > > If I put acl_xattr:ignore system acls = yes in my share, it "fails", > the > "+" isn't here and my Windows ACL not applied.Your Windows ACL is being applied, just not where you think it is. If you read the line, it tells you what it will do, it will ignore the system acls. Samba will potentially store permissions in three places: The normal Unix acl (ugo) An extended ACL set by 'setfacl' and shown by 'getfacl' (this is where the '+' comes from) Windows ACLs stored in an Extended attribute (aka EA) If you do not set 'acl_xattr:ignore system acls = yes' a best effort will be done to map the windows ACLs to the Unix acls, this where ugo and setfacl come in. If you do set it, the mapping will not be done.> > But if I comment this line and then my share is only : > > [TEST] > # acl_xattr:ignore system acl = yesThat is not a valid line, so it will not be used, even if you uncomment it.> path = /srv/samba/TEST/ > read only = no > > Then all works fine, the "+" is back and I can config ACL with total > success.Yes, but why are you adding that line (even if it is wrong) if want to use setfacl ? Rowland
I am not sure how mailing lists work when it comes to replying. Hope this does not mess anything up. Thank you for replying, Extra special thanks to my very good friend "Manu Baylac" for the "me too" post. The proposed solution worked! At the end of this message is the smb.conf that does NOT work. There is a lot of stuff in there due to a copy and paste from a working 4.14 prod server. The commented out lines were always commented out, (just ignore them) HOWEVER to get it to work I just commented out "acl_xattr:ignore system acls = yes" and it started working . I think I had to restart the services rather that a reload command ..but maybe not. I should add "work" means for the first time I saw the "+" . I have not tested subfolder etc. "Not work" meant no matter what I did in computer manager, that looked like it was working there was no "+" and no users could get access. [global] security = ADS workgroup = XX.com realm = XX.com log file = /var/log/samba/%m.log log level = 4 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab min domain uid = 0 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config XX : backend = rid idmap config XX : range = 10000-5999999 #winbind refresh tickets = yes template shell = /bin/false template homedir = /home/%U username map = /usr/local/samba/etc/user.map full_audit:prefix = %u|%I|%m|%S full_audit:success = open close read write create_file renameat unlinkat pwrite_send pwrite_recv full_audit:failure = connect full_audit:facility = local5 full_audit:priority = NOTICE map to guest = never restrict anonymous = 2 map to guest = never restrict anonymous = 2 vfs objects = acl_xattr map acl inherit = yes #server signing = mandatory #hello sexy #server min protocol = SMB3_11 #server smb encrypt = required #server smb3 encryption algorithms = AES-128-GCM [demo] path = /export/demo/ read only = no acl_xattr:ignore system acls = yes On Mon, Feb 28, 2022 at 7:27 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 2022-02-28 at 19:08 +0000, Manu Baylac via samba wrote: > > Hello Rowland, > > > > > > > > I did more tests, and : > > > > If I put acl_xattr:ignore system acls = yes in my share, it "fails", > > the > > "+" isn't here and my Windows ACL not applied. > > Your Windows ACL is being applied, just not where you think it is. If > you read the line, it tells you what it will do, it will ignore the > system acls. > > Samba will potentially store permissions in three places: > > The normal Unix acl (ugo) > An extended ACL set by 'setfacl' and shown by 'getfacl' (this is where > the '+' comes from) > Windows ACLs stored in an Extended attribute (aka EA) > > If you do not set 'acl_xattr:ignore system acls = yes' a best effort > will be done to map the windows ACLs to the Unix acls, this where ugo > and setfacl come in. If you do set it, the mapping will not be done. > > > > > But if I comment this line and then my share is only : > > > > [TEST] > > # acl_xattr:ignore system acl = yes > > That is not a valid line, so it will not be used, even if you uncomment > it. > > > path = /srv/samba/TEST/ > > read only = no > > > > Then all works fine, the "+" is back and I can config ACL with total > > success. > > Yes, but why are you adding that line (even if it is wrong) if want to > use setfacl ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hello Rowland, Thanks for your reply. Le 28/02/2022 ? 20:26, Rowland Penny via samba a ?crit?:> Your Windows ACL is being applied, just not where you think it is. If > you read the line, it tells you what it will do, it will ignore the > system acls. > > Samba will potentially store permissions in three places: > > The normal Unix acl (ugo) > An extended ACL set by 'setfacl' and shown by 'getfacl' (this is where > the '+' comes from) > Windows ACLs stored in an Extended attribute (aka EA) > > If you do not set 'acl_xattr:ignore system acls = yes' a best effort > will be done to map the windows ACLs to the Unix acls, this where ugo > and setfacl come in. If you do set it, the mapping will not be done.Yes I read the man page, but it isn't clear for me, see below.>> >> But if I comment this line and then my share is only : >> >> [TEST] >> # acl_xattr:ignore system acl = yes > > That is not a valid line, so it will not be used, even if you uncomment > it.Sorry, typo, yes i have set "acls"> Yes, but why are you adding that line (even if it is wrong) if want to > use setfacl ?I don't want to use setfacl, I want to use Windows ACL and configure them from a Windows computer. But when I read the wiki page, it says "Samba stores the file system permissions in extended file system access control lists (ACL) and in an extended attribute" so I thought I would expect a "+" on the share. I read again the wiki page but it isn't clear for me. I did more test, and like John said in its second mail, if I just put : [TEST] # acl_xattr:ignore system acls = yes path = /srv/samba/TEST/ read only = no All works fine. If i uncomment the normally expected qcl_xattr line, the it fails, a user who have permissions can't even browse the share. Well, I'm lost :-( -- Manu