Hello Rowland, Thanks for your reply. Le 28/02/2022 ? 20:26, Rowland Penny via samba a ?crit?:> Your Windows ACL is being applied, just not where you think it is. If > you read the line, it tells you what it will do, it will ignore the > system acls. > > Samba will potentially store permissions in three places: > > The normal Unix acl (ugo) > An extended ACL set by 'setfacl' and shown by 'getfacl' (this is where > the '+' comes from) > Windows ACLs stored in an Extended attribute (aka EA) > > If you do not set 'acl_xattr:ignore system acls = yes' a best effort > will be done to map the windows ACLs to the Unix acls, this where ugo > and setfacl come in. If you do set it, the mapping will not be done.Yes I read the man page, but it isn't clear for me, see below.>> >> But if I comment this line and then my share is only : >> >> [TEST] >> # acl_xattr:ignore system acl = yes > > That is not a valid line, so it will not be used, even if you uncomment > it.Sorry, typo, yes i have set "acls"> Yes, but why are you adding that line (even if it is wrong) if want to > use setfacl ?I don't want to use setfacl, I want to use Windows ACL and configure them from a Windows computer. But when I read the wiki page, it says "Samba stores the file system permissions in extended file system access control lists (ACL) and in an extended attribute" so I thought I would expect a "+" on the share. I read again the wiki page but it isn't clear for me. I did more test, and like John said in its second mail, if I just put : [TEST] # acl_xattr:ignore system acls = yes path = /srv/samba/TEST/ read only = no All works fine. If i uncomment the normally expected qcl_xattr line, the it fails, a user who have permissions can't even browse the share. Well, I'm lost :-( -- Manu
On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote:> Hello Rowland, > > > Thanks for your reply. > > > Le 28/02/2022 ? 20:26, Rowland Penny via samba a ?crit : > > > Your Windows ACL is being applied, just not where you think it is. > > If > > you read the line, it tells you what it will do, it will ignore the > > system acls. > > > > Samba will potentially store permissions in three places: > > > > The normal Unix acl (ugo) > > An extended ACL set by 'setfacl' and shown by 'getfacl' (this is > > where > > the '+' comes from) > > Windows ACLs stored in an Extended attribute (aka EA) > > > > If you do not set 'acl_xattr:ignore system acls = yes' a best > > effort > > will be done to map the windows ACLs to the Unix acls, this where > > ugo > > and setfacl come in. If you do set it, the mapping will not be > > done. > > Yes I read the man page, but it isn't clear for me, see below. > > > > But if I comment this line and then my share is only : > > > > > > [TEST] > > > # acl_xattr:ignore system acl = yes > > > > That is not a valid line, so it will not be used, even if you > > uncomment > > it. > Sorry, typo, yes i have set "acls" > > > Yes, but why are you adding that line (even if it is wrong) if want > > to > > use setfacl ? > > I don't want to use setfacl, I want to use Windows ACL and configure > them from a Windows computer. > But when I read the wiki page, it says > "Samba stores the file system permissions in extended file system > access > control lists (ACL) and in an extended attribute" so I thought I > would > expect a "+" on the share. > > I read again the wiki page but it isn't clear for me. > > I did more test, and like John said in its second mail, if I just put > : > [TEST] > # acl_xattr:ignore system acls = yes > path = /srv/samba/TEST/ > read only = no > > All works fine. > > If i uncomment the normally expected qcl_xattr line, the it fails, a > user who have permissions can't even browse the share. > > Well, I'm lost :-(Have you tried retracing your steps, to get back to where you started from ? :-D:-D OK, your OS has to know your users and they have to have permission to access/read/write on a share. Normally when you create a share directory it will get permissions like: drwxr-xr-x 2 root root>From this, you can see that only 'root' can write to the sharedirectory. If you go to windows and set permissions on the share directory, you should be able to, but if you have set 'acl_xattr:ignore system acls Yes', your users will still not be able to write to the share (and as it has been pointed out, this will be shown by not having a '+' sign at the end of the permissions), without that line, Samba will alter the Unix acls and set NT ACLS and your users will get the permissions you want them to have. Rowland
On 3/2/22 03:39, Manu Baylac via samba wrote:> > I don't want to use setfacl, I want to use Windows ACL and configure > them from a Windows computer. > But when I read the wiki page, it says > "Samba stores the file system permissions in extended file system access > control lists (ACL) and in an extended attribute" so I thought I would > expect a "+" on the share. >If you're talking about "+"'s, then this means you're looking at the files on a linux system. Linux doesn't understand Windows ACLs and won't comment on them; i.e. you won't see a "+". You will only see the "+" if you're using POSIX ACLs. A second point is that attributes and ACLs are not the same thing. I'm not entirely sure how these things are stored, and it probably depends on the underlying filesystem (just learned that ZFS affords multiple options for how attributes are stored, for example), but you use different commands to set them. For example to make a file read-only, even for the root user: chattr +i MY_IMPORTANT_FILE will make a file immutable -- that's an attribute. setfacl -m g:MY_GROUP:r MY_OTHER_FILE gives the group MY_GROUP read access to MY_OTHER_FILE -- that's a POSIX ACL. I completely agree that this is all insanely confusing when you throw Windows permissions into the mix and it would be super helpful (HINT! HINT!) if the algorithm used to determine these mappings were documented publicly so we can puzzle through the strange things that can happen.