On 02 March 2022 13:33 Rowland Penny wrote:> On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote: > > Le 28/02/2022 20:26, Rowland Penny via samba a crit :[snip]> OK, your OS has to know your users and they have to have permission to > access/read/write on a share. > > Normally when you create a share directory it will get permissions > like: drwxr-xr-x 2 root root > > From this, you can see that only 'root' can write to the share > directory. > If you go to windows and set permissions on the share directory, you > should be able to, but if you have set 'acl_xattr:ignore system acls > Yes', your users will still not be able to write to the share (and as > it has been pointed out, this will be shown by not having a '+' sign at > the end of the permissions), without that line, Samba will alter the > Unix acls and set NT ACLS and your users will get the permissions you > want them to have. > > RowlandI am now even more confused than before! The WiKi page for setting up the share using Windows ACLs specifically suggests that the 'acl_xattr:ignore system acls = Yes' be added to smb.conf. And even with that line in smb.conf for the share, I do get the + at the end of permissions. All is working fine with my system. So if the + is missing when this line is in smb.conf does this suggest that the Windows ACLs are not being saved? Roy
On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote:> On 02 March 2022 13:33 Rowland Penny wrote: > > On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote: > > > Le 28/02/2022 20:26, Rowland Penny via samba a crit : > [snip] > > OK, your OS has to know your users and they have to have permission > > to > > access/read/write on a share. > > > > Normally when you create a share directory it will get permissions > > like: drwxr-xr-x 2 root root > > > > From this, you can see that only 'root' can write to the share > > directory. > > If you go to windows and set permissions on the share directory, > > you > > should be able to, but if you have set 'acl_xattr:ignore system > > acls > > Yes', your users will still not be able to write to the share (and > > as > > it has been pointed out, this will be shown by not having a '+' > > sign at > > the end of the permissions), without that line, Samba will alter > > the > > Unix acls and set NT ACLS and your users will get the permissions > > you > > want them to have. > > > > Rowland > > I am now even more confused than before! The WiKi page for setting > up the share using Windows ACLs specifically suggests that the > 'acl_xattr:ignore system acls = Yes' be added to smb.conf.It doesn't any more :-)> And even with that line in smb.conf for the share, I do get the + > at the end of permissions. All is working fine with my system. So > if the + is missing when this line is in smb.conf does this suggest > that the Windows ACLs are not being saved?I feel that this must be an artefact of the recent CVE updates, I have never used that line myself, but Louis has, so presumably it did work at some point. What I can say is that if you set 'acl_xattr:ignore system acls = yes' on share when using Samba 4.15.5 , then that share does not get extended NT ACLS (no '+' sign at end of Unix acls) when permissions are set from Windows. Rowland
On 3/2/22 10:48, spindles seven via samba wrote:> > I am now even more confused than before! The WiKi page for setting up the share using Windows ACLs specifically suggests that the 'acl_xattr:ignore system acls = Yes' be added to smb.conf. And even with that line in smb.conf for the share, I do get the + at the end of permissions. All is working fine with my system. So if the + is missing when this line is in smb.conf does this suggest that the Windows ACLs are not being saved? >This is something generally confusing about network filesystems that one of the NFS developers finally straightened me out on: Think of it like this: your brother has 2 cookies. You want one of them, so you ask your mother "can I have one of Bob's cookies?" Even if your mom says yes, your attainment of the cookie is dependent on Bob's cooperation; i.e. if Bob doesn't want to give you the cookie, you're not getting the cookie. Same is true of network filesystems. If the UNIX permissions on a file are drwxr-xr-x 2 root root only the root user can write to that file. Your Windows desktop user can try and write to the file all day long with full permission from Windows ACLs (mom), but linux (Bob), the owner of the file, is going to say no every time. This is precisely why Samba rewrites the linux permissions (using POSIX ACLs, because that's currently the closest match to the granularity of Windows permissions). Think of this as mom (now Samba is the mom) dropping the hammer on Bob and telling him "put one of those cookies on the counter for Roy or else!" At least this is how NFS works, and I'm assuming that Samba works the same way, since anything else would be a security hole the size of Texas.