samba - Mar 2022 - 4.15 windows ACL share. Not taking?

On 02 March 2022 18:40 spindles seven wrote:
> On 02 March 2022 17:05 Rowland Penny wrote:
> > On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote:
> > > On 02 March 2022 13:33 Rowland Penny wrote:
> > > > On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba
wrote:
> > > > > Le 28/02/2022   20:26, Rowland Penny via samba a  crit
:
> >
> > I feel that this must be an artefact of the recent CVE updates, I have
> > never used that line myself, but Louis has, so presumably it did work
> > at some point. What I can say is that if you set 'acl_xattr:ignore
> > system acls = yes' on share when using Samba
> > 4.15.5 , then that share does not get extended NT ACLS (no '+'
sign at
> > end of Unix
> > acls) when permissions are set from Windows.
> >
> Ok that may explain it, but I just did a test with a new share on a member
server
> running Samba 4.15.5 and found that I still get the + after setting the
ACLs from
> Windows and can still use it after adding the
> 'acl_xattr:ignore system acls = yes' to the share definition.    Do
you have to use a
> brand-new server running
> Samba version  4.15.5 rather than one that has been upgraded?
> 
OK, I did another test with a fresh install of Debian Bullseye and Samba 4.15.5
from Louis' repo.
I've determined that if you use the domain Administrator to set permissions
from Windows, then if you
were to set the line: 'acl_xattr:ignore system acls = yes' in smb.conf
the "+" disappears from
the 'ls' listing and users cannot access the share as the OP and Rowland
points out.
If however, you use a member of Domain Admins to set the permissions from
Windows
then the "+" is retained and users can still access the folder/files
after the above line is added to smb.conf.

Can anyone explain this behaviour?

Roy

I should note that I noticed something pretty similar, I think.?
I was way less systematic about it, but there was something quite odd about the
Administrator account and being able to access shares (or more accurately, NOT
being able to access them.)
In my case, it occurred with _both_ 4.15.3 and 4.15.5.
?
And using another domain admin equivalent account "fixed" it. (Which
was odder still.)
?
I just figured I'd done something stupid and hadn't had any time to
tinker or test to see why.
Just thought I'd chime in as a "Yeah, I've noticed something odd
too."
?
It's totally possible that this isn't the same issue, and my problems
are self-inflicted, but my feeling is that it's the same root problem.
?
> On 02 March 2022 18:40 spindles seven wrote:
>> On 02 March 2022 17:05 Rowland Penny wrote:
>>> On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote:
>>>> On 02 March 2022 13:33 Rowland Penny wrote:
>>>>> On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba
wrote:
>>>>>> Le 28/02/2022 ? 20:26, Rowland Penny via samba a ?crit
:
>>> I feel that this must be an artefact of the recent CVE updates, I
have
>>> never used that line myself, but Louis has, so presumably it did
work
>>> at some point. What I can say is that if you set
'acl_xattr:ignore
>>> system acls = yes' on share when using Samba
>>> 4.15.5 , then that share does not get extended NT ACLS (no
'+' sign at
>>> end of Unix
>>> acls) when permissions are set from Windows.
>> Ok that may explain it, but I just did a test with a new share on a
member server
>> running Samba 4.15.5 and found that I still get the + after setting the
ACLs from
>> Windows and can still use it after adding the
>> 'acl_xattr:ignore system acls = yes' to the share definition. ?
?Do you have to use a
>> brand-new server running
>> Samba version ?4.15.5 rather than one that has been upgraded?
> OK, I did another test with a fresh install of Debian Bullseye and Samba
4.15.5 from Louis' repo.
> I've determined that if you use the domain Administrator to set
permissions from Windows, then if you
> were to set the line: 'acl_xattr:ignore system acls = yes' in
smb.conf the "+" disappears from
> the 'ls' listing and users cannot access the share as the OP and
Rowland points out.
> If however, you use a member of Domain Admins to set the permissions from
Windows
> then the "+" is retained and users can still access the
folder/files after the above line is added to smb.conf.
> Can anyone explain this behaviour?
> Roy