On 3/25/22 17:39, Jeremy Allison wrote:>>>
>>> system.NTACL is the extended attribute smbd uses to
>>> store the Windows ACL in ndr format.
>>
>> I figured this much, but am unsure about the syntax for doing this --
>> could you provide an example, please?
>
> The syntax for doing what ? smbd stores these values internally.
> I think samba-tool can show them.
I'm wondering if you mean security.NTACL, as described here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End
as in:
# getfattr -n security.NTACL -d /srv/samba/Demo/
samba-tool does allow you to manage this:
# samba-tool ntacl set acl file [options]
but I can't find any examples of how this is used in either the Wiki,
the man page, or the built in help. For example, what are the [options]?
Does this work on directories too? Etc..
Not sure I understand the relevance of ndr format, but sddl is rather
complicated and seems to be poorly documented (even by Microsoft). For
example what is the right SDDL_NO_READ_UP anyway? Who knows! What is
the ace_type SDDL_SCOPED_POLICY_ID? Again, who knows? I can't find any
documentation on this. Microsoft seems to think their naming convention
is self-documenting. I feel more comfortable saying this after having
just read through 3 books on Windows administration, all equally vague
and incomplete on these issues.
Louis did helpfully provide some examples in a recent post, but what's
needed here are some canonical use case examples. This:
https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
is only useful as a reference for people who already know how this
works; otherwise it's a textbook example of how not to write
documentation; a perfect illustration of what you get in the Cathedral
rather than at the Bazaar, where your holiness grants you nothing.
Since it's clearly up to linux to get Windows ACLs done right, I will be
attempting to revisit this in the next couple of months, hopefully with
some useful documentation.
Thanks.