samba - Mar 2022 - Remove all Windows ACL's from files/folders

On Tue, Mar 29, 2022 at 10:40:43AM -0700, Greg Sloop <gregs--- via samba
wrote:
>
>So, check the Samba logs.
The Samba logs are the source of truth, always.
>2022/03/29 10:23:54.736440,  0]
>../../source3/smbd/service.c:168(chdir_current_service)
>  chdir_current_service:
>vfs_ChDir(/abc-zfs-01/ad-shared-folders/shared-files) failed: Permission
>denied. Current token: uid=11608, gid=10513, 7 groups: 11608 10513 11129
>3003 3004 3006 3001
>---
># wbinfo -i "ad\gs"
>AD\gs:*:11608:10513:gs:/home/AD/gs:/bin/false
>---
>
>So the UID in the Samba log matches the user I expect.
>That's good.
>At least the user attempting access matches the user I've set
permissions
>for,
>
>---
>Incidentally, the group matches too;
>wbinfo -i "ad\domain users"
>AD\domain users:*:10513:10513::/home/AD/domain users:/bin/false
>---
>
>So, now lets see what Samba thinks the permissions are on that
>share/directory.
>
>---
>getfattr -n security.NTACL /abc-zfs-01/ad-shared-folders/shared-files/
>samba-tool ntacl get /abc-zfs-01/ad-shared-folders/shared-files/ --as-sddl
Neither of these gets the *actual* permissions on the
folder. Remember, Samba is an ordinary program and
when operating under a given uid/gid-list in order
to vfs_ChDir() into a folder, the system permissions
on that folder must allow the uid/gid-list access.

You're only looking and reporting the Samba stored
permissions here.

What does

getfacl /abc-zfs-01/ad-shared-folders/shared-files

show ?

If you decouple the Samba stored permissions from
the system permissions, then you need to ensure
that the system permissions allow access from the
given uid/gid-list. Easiest way to do that is to
force all folders to be 0777, all files to be 0666.

This is safe if you're only accessing via smbd.

But, you just said that if I'm using "acl_xattr:ignore system acls =
yes"
it ignores system/posix permissions, right?

(And that's what the docs appear to show - that it will force the directory
mask to 0777 and the create mask to 0666.)
https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html

But in any case, here's the output of getfacl.
getfacl: Removing leading '/' from absolute path names
# file: abc-zfs-01/ad-shared-folders/shared-files
# owner: root
# group: AD\\domain\040admins
# flags: -s-
user::rwx
group::rwx
other::r-x

r-x for "Other" should let the user "ad\gs" at least
enter/view the
directory/share, right?
Which doesn't work.

On Tue, Mar 29, 2022 at 1:40 PM Jeremy Allison <jra at samba.org> wrote:
> On Tue, Mar 29, 2022 at 10:40:43AM -0700, Greg Sloop <gregs--- via samba
> wrote:
> >
> >So, check the Samba logs.
>
> The Samba logs are the source of truth, always.
>
> >2022/03/29 10:23:54.736440,  0]
> >../../source3/smbd/service.c:168(chdir_current_service)
> >  chdir_current_service:
> >vfs_ChDir(/abc-zfs-01/ad-shared-folders/shared-files) failed:
Permission
> >denied. Current token: uid=11608, gid=10513, 7 groups: 11608 10513
11129
> >3003 3004 3006 3001
> >---
> ># wbinfo -i "ad\gs"
> >AD\gs:*:11608:10513:gs:/home/AD/gs:/bin/false
> >---
> >
> >So the UID in the Samba log matches the user I expect.
> >That's good.
> >At least the user attempting access matches the user I've set
permissions
> >for,
> >
> >---
> >Incidentally, the group matches too;
> >wbinfo -i "ad\domain users"
> >AD\domain users:*:10513:10513::/home/AD/domain users:/bin/false
> >---
> >
> >So, now lets see what Samba thinks the permissions are on that
> >share/directory.
> >
> >---
> >getfattr -n security.NTACL /abc-zfs-01/ad-shared-folders/shared-files/
> >samba-tool ntacl get /abc-zfs-01/ad-shared-folders/shared-files/
--as-sddl
>
> Neither of these gets the *actual* permissions on the
> folder. Remember, Samba is an ordinary program and
> when operating under a given uid/gid-list in order
> to vfs_ChDir() into a folder, the system permissions
> on that folder must allow the uid/gid-list access.
>
> You're only looking and reporting the Samba stored
> permissions here.
>
> What does
>
> getfacl /abc-zfs-01/ad-shared-folders/shared-files
>
> show ?
>
> If you decouple the Samba stored permissions from
> the system permissions, then you need to ensure
> that the system permissions allow access from the
> given uid/gid-list. Easiest way to do that is to
> force all folders to be 0777, all files to be 0666.
>
> This is safe if you're only accessing via smbd.
>