On Fri, Mar 25, 2022 at 05:37:26PM -0500, Patrick Goetz via samba wrote:> > >On 3/25/22 17:35, Jeremy Allison wrote: >>On Fri, Mar 25, 2022 at 05:27:55PM -0500, Patrick Goetz via samba wrote: >>> >>> >>>On 3/24/22 12:10, Jeremy Allison via samba wrote: >>>>On Thu, Mar 24, 2022 at 10:07:16AM -0700, Greg Sloop <gregs--- >>>>via samba wrote: >>>>>What's the proper way to REMOVE all the ACL's assigned by Windows to a >>>>>Samba share/folders/files? >>>>> >>>>>The short story is I was having problems assigning ACL's via >>>>>the Windows >>>>>security dialog. I managed to fix that, but now users that I >>>>>assign rights >>>>>to a file/folder simply don't have those rights, and I can't >>>>>figure out why. >>>>> >>>>>I want to make absolutely sure that all the previous ACL's are >>>>>gone so I'm >>>>>sure I'm working with a clean setup. If I still have issues, >>>>>then at least >>>>>I'm starting from a clean base, so working through the troubleshooting >>>>>steps might be easier. >>>> >>>>If you are storing Windows ACLs into EA's then recursively >>>>remove system.NTACL from all files/directories. You'll >>>>need to be root. >>>> >>> >>>Sorry, this lost me completely.? What is system.NTACL? >> >>system.NTACL is the extended attribute smbd uses to >>store the Windows ACL in ndr format. > >I figured this much, but am unsure about the syntax for doing this -- >could you provide an example, please?The syntax for doing what ? smbd stores these values internally. I think samba-tool can show them.
On 3/25/22 17:39, Jeremy Allison wrote:>>> >>> system.NTACL is the extended attribute smbd uses to >>> store the Windows ACL in ndr format. >> >> I figured this much, but am unsure about the syntax for doing this -- >> could you provide an example, please? > > The syntax for doing what ? smbd stores these values internally. > I think samba-tool can show them.I'm wondering if you mean security.NTACL, as described here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End as in: # getfattr -n security.NTACL -d /srv/samba/Demo/ samba-tool does allow you to manage this: # samba-tool ntacl set acl file [options] but I can't find any examples of how this is used in either the Wiki, the man page, or the built in help. For example, what are the [options]? Does this work on directories too? Etc.. Not sure I understand the relevance of ndr format, but sddl is rather complicated and seems to be poorly documented (even by Microsoft). For example what is the right SDDL_NO_READ_UP anyway? Who knows! What is the ace_type SDDL_SCOPED_POLICY_ID? Again, who knows? I can't find any documentation on this. Microsoft seems to think their naming convention is self-documenting. I feel more comfortable saying this after having just read through 3 books on Windows administration, all equally vague and incomplete on these issues. Louis did helpfully provide some examples in a recent post, but what's needed here are some canonical use case examples. This: https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language is only useful as a reference for people who already know how this works; otherwise it's a textbook example of how not to write documentation; a perfect illustration of what you get in the Cathedral rather than at the Bazaar, where your holiness grants you nothing. Since it's clearly up to linux to get Windows ACLs done right, I will be attempting to revisit this in the next couple of months, hopefully with some useful documentation. Thanks.