On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:> > >On 3/25/22 17:39, Jeremy Allison wrote: >>>> >>>>system.NTACL is the extended attribute smbd uses to >>>>store the Windows ACL in ndr format. >>> >>>I figured this much, but am unsure about the syntax for doing this >>>-- could you provide an example, please? >> >>The syntax for doing what ? smbd stores these values internally. >>I think samba-tool can show them. > >I'm wondering if you mean security.NTACL, as described here: > > >https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End > >as in: > > # getfattr -n security.NTACL -d /srv/samba/Demo/ > >samba-tool does allow you to manage this: > > # samba-tool ntacl set acl file [options] > >but I can't find any examples of how this is used in either the Wiki, >the man page, or the built in help. For example, what are the >[options]? Does this work on directories too? Etc..Yes dammit :-). I keep mixing up the confusing namespaces on Linux, sorry :-). It's used as a "pristine" store of the ACL the client sent. If the underlying native (usually POSIX) ACL is changed outside of smbd then it is removed as it no longer represents reality.
On 3/28/22 12:28 PM, Jeremy Allison via samba wrote:> On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote: >> >> >> On 3/25/22 17:39, Jeremy Allison wrote: >>>>> >>>>> system.NTACL is the extended attribute smbd uses to >>>>> store the Windows ACL in ndr format. >>>> >>>> I figured this much, but am unsure about the syntax for doing this >>>> -- could you provide an example, please? >>> >>> The syntax for doing what ? smbd stores these values internally. >>> I think samba-tool can show them. >> >> I'm wondering if you mean security.NTACL, as described here: >> >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End >> >> >> as in: >> >> ?# getfattr -n security.NTACL -d /srv/samba/Demo/ >> >> samba-tool does allow you to manage this: >> >> ?# samba-tool ntacl set acl file [options] >> >> but I can't find any examples of how this is used in either the Wiki, >> the man page, or the built in help. For example, what are the >> [options]? Does this work on directories too? Etc.. > > Yes dammit :-). I keep mixing up the confusing namespaces > on Linux, sorry :-). > > It's used as a "pristine" store of the ACL the client sent. > If the underlying native (usually POSIX) ACL is changed outside > of smbd then it is removed as it no longer represents reality. >This magic here explain why some time ago I tried to add a simple permission to a group that mapped directly to POSIX ACLs with a setfacl call and then notice on a Windows client that the entire Windows ACLs where modified.
> On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:>> On 3/25/22 17:39, Jeremy Allison wrote:>>>>> system.NTACL is the extended attribute smbd uses to >>>>> store the Windows ACL in ndr format.>>>> I figured this much, but am unsure about the syntax for doing this >>>-- could you provide an example, please? >>> The syntax for doing what ? smbd stores these values internally. >>> I think samba-tool can show them. >> I'm wondering if you mean security.NTACL, as described here:>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End>> as in: >> ?# getfattr -n security.NTACL -d /srv/samba/Demo/ >> samba-tool does allow you to manage this: >> ?# samba-tool ntacl set acl file [options] >> but I can't find any examples of how this is used in either the Wiki, >the man page, or the built in help. For example, what are the >[options]? Does this work on directories too? Etc..> Yes dammit :-). I keep mixing up the confusing namespaces > on Linux, sorry :-).> It's used as a "pristine" store of the ACL the client sent. > If the underlying native (usually POSIX) ACL is changed outside > of smbd then it is removed as it no longer represents reality.? That's new information I didn't know. So, simply doing a chmod/chown in Linux would be enough to fully reset/remove all Samba (Windows set) ACL's on a file or directory, right? ? ?