> Hi Ralph -> On 3/29/22 03:24, Ralph Boehme wrote:>> On 3/28/22 22:36, Patrick Goetz via samba wrote:>>> So my plan is to transfer the data to the new server and then run a >> script that recurses through the filesystem, changing user and group >> ownership. I think the basic unix permissions are respected (sort of), >> but this means I can't attempt to use POSIX ACLs to simplify their >> permissions setup, because these won't be recognized on Windows, where >> they do a lot of their work.? Having a command to set Windows ACLs >> from POSIX ACLs would be handy in this case. >>> iirc Bj?rn is working on such a feature for samba-tool. >>> But it also looks like Jeremy and you talk past each other. >>> We *do* store a hash of the underyling permissions, including POSIX ACL, > in our xattr. We *do* check whether the underyling permissions have > changed by hasing the current permissions and comparing against the > stored hash. We *do* discard the stored NT ACL in case both don't match > and go back to building a new NT ACL based on the underlying permissions. >>> Does that clarify things? Or evantually I missed something in the > discussion that I didn't follow closely from the start, just chiming in. :)> Yes, this clarifies things considerably and makes a lot more sense.> My nightmare use case is an archivist group with very deeply nested directory structures, where, for some subdirectories uploaded by an external user prior to the machine being bound to the Samba AD, the users are unable to edit files even though the linux permissions look fine. I tried resetting permissions from Windows, but that just crashes, and I can't even see what the Windows permissions are for these deep subdirectories, because the Security tab is missing from Properties, likely because File Explorer doesn't support long paths. ?There's probably some way to do this with Powershell.> Your comment suggests that I might be able to fix this by recursively resetting all the POSIX ACLs on linux for the entire filesystem, which would be great. If that fails, I'll have to develop some more Powershell expertise.? In all the testing I've done, setting the POSIX perms (via setfacl/chown/chmod) doesn't do anything to reset or modify the "Windows" ACL listing. -This probably is because I have: acl_xattr:ignore system acls = yes (But I only have this set so I can tweak permissions from Windows at all! Without it, any permissions mods fail as though I don't have the correct privs, even though I'm doing them as Administrator.) ? (And tweaking acl_xattr:default acl style = Windows/posix didn't make any difference either.) ? With a few new ideas and some re-reading of the docs, I tried the following and it DOES remove the Windows ACL's. ? cd into the directory you want to mod. setfattr -x security.NTACL ./? ? But there's no "recursive" switch for setfattr, so there's no easy way to force it to process all files and directories. You can only remove a single ACL at a time. I suppose you might be able to craft something with find, but if you've got a large tree, it's not going to be speedy, and I suspect it's going to generate a ton of IO. ? But since I really only want to mod the "root" share folder and then fully reset the permissions and then push them down to all child objects, this may well work for my situation. ? And when I do this the permission changes are immediately visible in Windows file explorer. ? Someone should clearly document this in the Wiki. (I suppose if I get enough energy I could do it, but this has been a pretty frustrating journey, so motivation is in short supply.) ? -Greg
On 3/29/22 16:24, Gregory Sloop via samba wrote:> In all the testing I've done, setting the POSIX perms (via > setfacl/chown/chmod) doesn't do anything to reset or modify the > "Windows" ACL listing. This probably is because I have: > acl_xattr:ignore system acls = yesvery much yes! I wanted to mention that in my earlier mail, but I forgot about it, so thanks for pointing that out. :) Cheers! -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220329/d43c4676/OpenPGP_signature.sig>
On 3/29/22 09:24, Gregory Sloop via samba wrote:> > >> Hi Ralph - > >> On 3/29/22 03:24, Ralph Boehme wrote: > >>> On 3/28/22 22:36, Patrick Goetz via samba wrote: > >>>> So my plan is to transfer the data to the new server and then run a >> script that recurses through the filesystem, changing user and group >> ownership. I think the basic unix permissions are respected (sort of), >> but this means I can't attempt to use POSIX ACLs to simplify their >> permissions setup, because these won't be recognized on Windows, where >> they do a lot of their work.? Having a command to set Windows ACLs >> from POSIX ACLs would be handy in this case. >>>> iirc Bj?rn is working on such a feature for samba-tool. >>>> But it also looks like Jeremy and you talk past each other. >>>> We *do* store a hash of the underyling permissions, including POSIX ACL, > in our xattr. We *do* check whether the underyling permissions have > changed by hasing the current permissions and comparing against the > stored hash. We *do* discard the stored NT ACL in case both don't match > and go back to building a new NT ACL based on the underlying permissions. >>>> Does that clarify things? Or evantually I missed something in the > discussion that I didn't follow closely from the start, just chiming in. :) > >> Yes, this clarifies things considerably and makes a lot more sense. > >> My nightmare use case is an archivist group with very deeply nested directory structures, where, for some subdirectories uploaded by an external user prior to the machine being bound to the Samba AD, the users are unable to edit files even though the linux permissions look fine. I tried resetting permissions from Windows, but that just crashes, and I can't even see what the Windows permissions are for these deep subdirectories, because the Security tab is missing from Properties, likely because File Explorer doesn't support long paths. ?There's probably some way to do this with Powershell. > >> Your comment suggests that I might be able to fix this by recursively resetting all the POSIX ACLs on linux for the entire filesystem, which would be great. If that fails, I'll have to develop some more Powershell expertise. > > In all the testing I've done, setting the POSIX perms (via setfacl/chown/chmod) doesn't do anything to reset or modify the "Windows" ACL listing. > -This probably is because I have: acl_xattr:ignore system acls = yes (But I only have this set so I can tweak permissions from Windows at all! Without it, any permissions mods fail as though I don't have the correct privs, even though I'm doing them as Administrator.)Just one comment on this for now, as I'm in the middle of a time sensitive deployment: I use the same [global] defaults for all shares: vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # (Yes, I know this is now the default) and generally have no problems changing permissions from Windows; either as administrator or (I need to double check this) as any other user with Full Privileges. If you have to set acl_xattr:ignore system acls = yes in order to edit privileges from Windows, I suspect something else must be wrong. Have you tried adding this to the [global] section of /etc/samba/smb.conf? min domain uid = 0> > (And tweaking acl_xattr:default acl style = Windows/posix didn't make any difference either.) > > With a few new ideas and some re-reading of the docs, I tried the following and it DOES remove the Windows ACL's. > > cd into the directory you want to mod. > setfattr -x security.NTACL ./ > > But there's no "recursive" switch for setfattr, so there's no easy way to force it to process all files and directories. You can only remove a single ACL at a time. I suppose you might be able to craft something with find, but if you've got a large tree, it's not going to be speedy, and I suspect it's going to generate a ton of IO. > > But since I really only want to mod the "root" share folder and then fully reset the permissions and then push them down to all child objects, this may well work for my situation. > > And when I do this the permission changes are immediately visible in Windows file explorer. > > Someone should clearly document this in the Wiki. > (I suppose if I get enough energy I could do it, but this has been a pretty frustrating journey, so motivation is in short supply.) > > -Greg
On Tue, Mar 29, 2022 at 07:24:06AM -0700, Gregory Sloop via samba wrote:>? >In all the testing I've done, setting the POSIX perms (via setfacl/chown/chmod) doesn't do anything to reset or modify the "Windows" ACL listing. >-This probably is because I have: acl_xattr:ignore system acls = yes (But I only have this set so I can tweak permissions from Windows at all! Without it, any permissions mods fail as though I don't have the correct privs, even though I'm doing them as Administrator.)Ah yes. I didn't realize you have that. acl_xattr:ignore system acls = yes means only use the stored Windows ACLs for access, and ignore the system ones (as it says on the tin :-).