samba - Mar 2022 - Setting permissions on AD member file server

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Patrick Goetz via samba
> Verzonden: dinsdag 15 maart 2022 14:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Setting permissions on AD member file server
> 
> 
> 
> On 3/14/22 17:41, Gregory Sloop via samba wrote:
> > I've had a little time to tinker and one thing I've found.
> >   
> > Unless I have [acl_xattr:ignore system acls = yes] set, I 
> can't edit permissions at all.
> > (I set it globally, though a share level setting would 
> probably work on a per-share basis.)
> 
> 
> There must be another issue here.  I have:
> 
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
You can remove : store dos attributes = yes
The default has changed to yes in Samba release 4.9.0 and above 
> 
> set in smb.conf and most certainly can edit permissions from Windows, 
> although this has also failed in some cases for reasons I 
> haven't been 
> able to pinpoint (but am guessing is related to the long path issue).
You can try to set: 
Local Computer Policy > Computer Configuration > Administrative Templates
> System > Filesystem.
Double click and Enable NTFS long paths.

> 
> 
> 
> >   
> > This seems to be a quasi-sideeffect of that setting? - in 
> short that setting overwrites/resets the posix permissions. 
> (Provided I understand discussions I've seen about it.)
> >   
> > In this case the share will only be used by Windows users 
> via CIFS/Samba - so this may well "work" just fine and as a 
> happy side-effect, make the problem vanish.
> > But I'd guess it's not really the "correct" fix.
> >   
> > To that end, what would be the best way to reset the 
> permissions on the directories/files properly, removing all 
> the Samba ACL's etc? Once they are set as a baseline in POSIX 
> then we can tinker with Samba ACL's with the Windows 
> permissions again. (And remove acl_xattr:ignore system acls = yes)
I do this like this. 
setfacl --recursive --remove-all  folder 
chmod -R o-rwx folder
chown -R root:root folder
chmod -R 775 folder

And start again, how its back to normal. 

> 
> Adding on to this, I would like to completely reset all the Windows 
> permissions, since the filesystem permissions look good, but 
> resetting 
> permissions on some folders fails from Windows.  If Windows 10 File 
> Explorer does not support long paths, then how would someone 
> use this to 
> reset permissions on deeply nested folders anyway?  I've 
> determined that 
> at after a certain path length the security tab disappears from 
> Properties completely!
Interessing, i havent seen that.. I do have seen a bug that make security tab go
away..
But thats long ago fixed. 

Greetz, 

Louis

On 3/15/22 10:01, L.P.H. van Belle via samba wrote:
>   
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Patrick Goetz via samba
>> Verzonden: dinsdag 15 maart 2022 14:58
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Setting permissions on AD member file server
>>
>>
>>
>> On 3/14/22 17:41, Gregory Sloop via samba wrote:
>>> I've had a little time to tinker and one thing I've found.
>>>    
>>> Unless I have [acl_xattr:ignore system acls = yes] set, I
>> can't edit permissions at all.
>>> (I set it globally, though a share level setting would
>> probably work on a per-share basis.)
>>
>>
>> There must be another issue here.  I have:
>>
>>      vfs objects = acl_xattr
>>      map acl inherit = yes
>>      store dos attributes = yes
> 
> You can remove : store dos attributes = yes
> The default has changed to yes in Samba release 4.9.0 and above
> 
>>
>> set in smb.conf and most certainly can edit permissions from Windows,
>> although this has also failed in some cases for reasons I
>> haven't been
>> able to pinpoint (but am guessing is related to the long path issue).
> 
> You can try to set:
> Local Computer Policy > Computer Configuration > Administrative
Templates > System > Filesystem.
> Double click and Enable NTFS long paths.
> 
Yes, I did this for all Windows workstations using a domain Group Policy 
and it didn't change anything.

> 
>>
>>
>>
>>>    
>>> This seems to be a quasi-sideeffect of that setting? - in
>> short that setting overwrites/resets the posix permissions.
>> (Provided I understand discussions I've seen about it.)
>>>    
>>> In this case the share will only be used by Windows users
>> via CIFS/Samba - so this may well "work" just fine and as a
>> happy side-effect, make the problem vanish.
>>> But I'd guess it's not really the "correct" fix.
>>>    
>>> To that end, what would be the best way to reset the
>> permissions on the directories/files properly, removing all
>> the Samba ACL's etc? Once they are set as a baseline in POSIX
>> then we can tinker with Samba ACL's with the Windows
>> permissions again. (And remove acl_xattr:ignore system acls = yes)
> 
> I do this like this.
> setfacl --recursive --remove-all  folder
> chmod -R o-rwx folder
> chown -R root:root folder
> chmod -R 775 folder
> 
> And start again, how its back to normal.
>
So that resets the UNIX/POSIX ACLs; how do you reset all the Windows ACLs?


> 
>>
>> Adding on to this, I would like to completely reset all the Windows
>> permissions, since the filesystem permissions look good, but
>> resetting
>> permissions on some folders fails from Windows.  If Windows 10 File
>> Explorer does not support long paths, then how would someone
>> use this to
>> reset permissions on deeply nested folders anyway?  I've
>> determined that
>> at after a certain path length the security tab disappears from
>> Properties completely!
> Interessing, i havent seen that.. I do have seen a bug that make security
tab go away..
> But thats long ago fixed.
> 
Create a really long path (> 256 characters) and then see if you see the 
same thing; i.e. when listing Properties on a file or folder under this 
path, is there a Security tab?




> Greetz,
> 
> Louis
> 
> 
>

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Patrick Goetz via samba
> Verzonden: dinsdag 15 maart 2022 16:30
> Aan: samba at lists.samba.org
... 
> > 
> > You can try to set:
> > Local Computer Policy > Computer Configuration > 
> Administrative Templates > System > Filesystem.
> > Double click and Enable NTFS long paths.
> > 
> 
> Yes, I did this for all Windows workstations using a domain 
> Group Policy and it didn't change anything.
It was worth a try to post it.  ;-) 
> 
> 
> > 
> >>
> >>
> >>
> >>>    
> >>> This seems to be a quasi-sideeffect of that setting? - in
> >> short that setting overwrites/resets the posix permissions.
> >> (Provided I understand discussions I've seen about it.)
> >>>    
> >>> In this case the share will only be used by Windows users
> >> via CIFS/Samba - so this may well "work" just fine and
as a
> >> happy side-effect, make the problem vanish.
> >>> But I'd guess it's not really the "correct"
fix.
> >>>    
> >>> To that end, what would be the best way to reset the
> >> permissions on the directories/files properly, removing all
> >> the Samba ACL's etc? Once they are set as a baseline in POSIX
> >> then we can tinker with Samba ACL's with the Windows
> >> permissions again. (And remove acl_xattr:ignore system acls = yes)
> > 
> > I do this like this.
> > setfacl --recursive --remove-all  folder
> > chmod -R o-rwx folder
> > chown -R root:root folder
> > chmod -R 775 folder
> > 
> > And start again, how its back to normal.
> >
> 
> So that resets the UNIX/POSIX ACLs; how do you reset all the 
> Windows ACLs?
That also reset the windows acl's for me. 
Hm, only i use this with a backend AD on members. 

Im not 100% sure here so carefull But maybe  (* did a quick google on it.) 
So all honestly stolen from internet. 


xattr -d security.NTACL file

So before you run it ;-) 

Backup the ACL's. 
NTACLS=(< `samba-tool ntacl get
/srv/samba/shares/path/to/file/to/copy/ntacls/from --as-sddl`)
samba-tool ntacl set $NTACLS /home/samba/shares/path/to/file/to/overwrite/ntacls

Personaly i have all my base folder there acl's backupped to file. 
The path /srv /srv/samba /srv/samba/companydata and all the first level
subfolders in company data.
Just handy to have .. Just in case..  


For some that might not work, dont ask why, i dont know. 
# Capture the NTACL attribute from the good file or directory
ACL=$(getfattr -e base64 -n security.NTACL /path/to/good/file_or_directory)
# Strip off the headers so that the ACL variable only holds the base64 value
ACL=${ACL#*=}
# Set security.NTACL on the bad file or directory
setfattr -n security.NTACL -v $ACL /path/to/bad/file_or_directory

Or 
cd /root/of/bad/tree
# Use steps above to set DIRACL and FILEACL from good directory and good file
find . -type d -exec setfattr -n security.NTACL -v $DIRACL "{}" \;
find . -type f -exec setfattr -n security.NTACL -v $FILEACL "{}" \;


> 
> 
> 
> > 
> >>
> >> Adding on to this, I would like to completely reset all the
Windows
> >> permissions, since the filesystem permissions look good, but
> >> resetting
> >> permissions on some folders fails from Windows.  If Windows 10
File
> >> Explorer does not support long paths, then how would someone
> >> use this to
> >> reset permissions on deeply nested folders anyway?  I've
> >> determined that
> >> at after a certain path length the security tab disappears from
> >> Properties completely!
> > Interessing, i havent seen that.. I do have seen a bug that 
> make security tab go away..
> > But thats long ago fixed.
> > 
> 
> Create a really long path (> 256 characters) and then see if 
> you see the same thing; i.e. when listing Properties on a file or folder 
> under this  path, is there a Security tab?
>From the "share point" of from the root of disk?