Greg Sloop <gregs@sloop.net>
2022-Mar-29 20:49 UTC
[Samba] Remove all Windows ACL's from files/folders
But, you just said that if I'm using "acl_xattr:ignore system acls = yes" it ignores system/posix permissions, right? (And that's what the docs appear to show - that it will force the directory mask to 0777 and the create mask to 0666.) https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html But in any case, here's the output of getfacl. getfacl: Removing leading '/' from absolute path names # file: abc-zfs-01/ad-shared-folders/shared-files # owner: root # group: AD\\domain\040admins # flags: -s- user::rwx group::rwx other::r-x r-x for "Other" should let the user "ad\gs" at least enter/view the directory/share, right? Which doesn't work. On Tue, Mar 29, 2022 at 1:40 PM Jeremy Allison <jra at samba.org> wrote:> On Tue, Mar 29, 2022 at 10:40:43AM -0700, Greg Sloop <gregs--- via samba > wrote: > > > >So, check the Samba logs. > > The Samba logs are the source of truth, always. > > >2022/03/29 10:23:54.736440, 0] > >../../source3/smbd/service.c:168(chdir_current_service) > > chdir_current_service: > >vfs_ChDir(/abc-zfs-01/ad-shared-folders/shared-files) failed: Permission > >denied. Current token: uid=11608, gid=10513, 7 groups: 11608 10513 11129 > >3003 3004 3006 3001 > >--- > ># wbinfo -i "ad\gs" > >AD\gs:*:11608:10513:gs:/home/AD/gs:/bin/false > >--- > > > >So the UID in the Samba log matches the user I expect. > >That's good. > >At least the user attempting access matches the user I've set permissions > >for, > > > >--- > >Incidentally, the group matches too; > >wbinfo -i "ad\domain users" > >AD\domain users:*:10513:10513::/home/AD/domain users:/bin/false > >--- > > > >So, now lets see what Samba thinks the permissions are on that > >share/directory. > > > >--- > >getfattr -n security.NTACL /abc-zfs-01/ad-shared-folders/shared-files/ > >samba-tool ntacl get /abc-zfs-01/ad-shared-folders/shared-files/ --as-sddl > > Neither of these gets the *actual* permissions on the > folder. Remember, Samba is an ordinary program and > when operating under a given uid/gid-list in order > to vfs_ChDir() into a folder, the system permissions > on that folder must allow the uid/gid-list access. > > You're only looking and reporting the Samba stored > permissions here. > > What does > > getfacl /abc-zfs-01/ad-shared-folders/shared-files > > show ? > > If you decouple the Samba stored permissions from > the system permissions, then you need to ensure > that the system permissions allow access from the > given uid/gid-list. Easiest way to do that is to > force all folders to be 0777, all files to be 0666. > > This is safe if you're only accessing via smbd. >
On Tue, Mar 29, 2022 at 01:49:55PM -0700, Greg Sloop <gregs at sloop.net> wrote:>But, you just said that if I'm using "acl_xattr:ignore system acls = yes" >it ignores system/posix permissions, right?Samba is a Linux process. Unless it permanently runs as root (which you don't want) then it *can't* ignore system permissions. When impersonating the client uid/gid-list, that id token must be allowed file system permissions on the target directory/files.>(And that's what the docs appear to show - that it will force the directory >mask to 0777 and the create mask to 0666.) >https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.htmlcreate mask = 0666 directory mask = 0777 are *masks* applied to the permissions. To force permissions to be set, you need: force create mode force directory mode To have Samba always create with directory = 0777, file = 0666 then use: force directory mode = 0777 force create mode = 0666>But in any case, here's the output of getfacl. >getfacl: Removing leading '/' from absolute path names ># file: abc-zfs-01/ad-shared-folders/shared-files ># owner: root ># group: AD\\domain\040admins ># flags: -s- >user::rwx >group::rwx >other::r-x > >r-x for "Other" should let the user "ad\gs" at least enter/view the >directory/share, right? >Which doesn't work.Yes, to chdir into a directory, r-x should be enough. If it isn't working, ensure it's accessible by doing: sudo -u "ad\gs" -g <group you expect" bash and then cd into abc-zfs-01/ad-shared-folders/shared-files. See if it works.