Good evening, I am currently trying to setup an SMB share using Windows ACLs for permissions per the article: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs However I am running into a bit of confusion when it comes to actually setting the share permissions on the root of the share. Per the guide I have the following options set within samba: map acl inherit = Yes vfs objects = acl_xattr acl_xattr:ignore system acls = yes In addition, I have granted the "DOMAIN\Domain Admins" group the SeDiskOperatorPrivilege. In addition, I have changed the permissions on the shared directory to: chmod 0770 /mnt/smb chown root:"DOMAIN\Domain Admins" /mnt/smb When attempting to set permissions through Windows, I am noticing that there is listed as users: root, Domain Admins, and SYSTEM, which is to be expected. I believe the issue is coming from as root as well as SYSTEM is listed as having full control, however Domain Admins is only listed as having read, write, execute. If I am to remove the "acl_xattr:ignore system acls = yes" value, the list of users in Windows then adds CREATOR OWNER and CREATOR GROUP, as well as changes the "DOMAIN\Domain Admins" group to have full control instead which then allows modification of ACLs through Windows, however this goes against what it listed within the documentation. Additionally, if I leave the acl_xattr:ignore system acls = yes value and then assign either my own user account "DOMAIN\bailey" (which is part of domain admins) as the owner group, it does get set with full control and has the ability to modify ACLs through Windows. Curious as to why when adding the acl_xattr:ignore system acls = yes value causes the groups assigned to the owner group of the samba share/directory to go from full control to read write execute within Windows, would appreciate any insight. If I am to make a folder within the share, I am able to modify permissions fine on that too, it just seems to be the root of the share itself which doesn't allow for any permission assignment due to the group with SeDiskOperatorPrivilege only displaying read write execute access despite being given 0770 permissions on the directory. Samba versions are 4.13.17 on Ubuntu 20.04LTS, as well as 4.15.5 on Rocky Linux.
On Mon, 2022-07-11 at 22:58 -0300, Bailey Allison via samba wrote:> Good evening, > > > > I am currently trying to setup an SMB share using Windows ACLs for > permissions per the article: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > > However I am running into a bit of confusion when it comes to > actually > setting the share permissions on the root of the share. > > > > Per the guide I have the following options set within samba: > > > > map acl inherit = Yes > > vfs objects = acl_xattr > > acl_xattr:ignore system acls = yesThe last line was added to the wiki (by myself) after being recommended by a user. I do not use that line and, sorry to say', I didn't test it.> > > > In addition, I have granted the "DOMAIN\Domain Admins" group the > SeDiskOperatorPrivilege. > > > > In addition, I have changed the permissions on the shared directory > to: > > > > chmod 0770 /mnt/smb > > chown root:"DOMAIN\Domain Admins" /mnt/smbThe problem is that you have 'acl_xattr:ignore system acls = yes' and it does exactly what it says, it makes Samba ignore the system (Linux) acls, or to put it another way: the '0770' and 'root:Domain\ Admins'. I will update the wiki. Rowland
On 7/12/22 03:58, Bailey Allison via samba wrote:> In addition, I have changed the permissions on the shared directory to: > > chmod 0770 /mnt/smb > chown root:"DOMAIN\Domain Admins" /mnt/smbI guess this isn't really obvious from the manpage, but you're supposed to set the directory to 0777 so the module can implement the permission evaluation in userspace based on the contents of the NT ACL stored in an xattr, without interference of filesystem permissions. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220712/8baa302f/OpenPGP_signature.sig>
On Mon, 2022-07-11 at 22:58 -0300, Bailey Allison via samba wrote:> Good evening, > > > > I am currently trying to setup an SMB share using Windows ACLs for > permissions per the article: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >OK, I followed the wiki and added a couple of shares to a Debian Unix domain member running 4.15.7. One had 'acl_xattr:ignore system acls = yes' set, the other didn't. I logged into Win10 as Administrator and opened the Unix computer in Explorer. I then set 'Unix Admins' (which is a member of Domain Admins) to have full permissions on the shares. I did this via the security tab in Properties. Going back to the Unix domain member and checking the permissions on the shares with getfacl, returns this: getfacl /srv/acl1 getfacl: Removing leading '/' from absolute path names # file: srv/acl1 # owner: root # group: unix\040admins user::rwx user:root:rwx group::rwx group:unix\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::r-x default:group:unix\040admins:rwx default:mask::rwx default:other::r-x getfacl /srv/acl2 getfacl: Removing leading '/' from absolute path names # file: srv/acl2 # owner: root # group: unix\040admins user::rwx group::rwx other::--- 'acl2' is the share with 'acl_xattr:ignore system acls = yes' set This is what I would expect. I then checked them with 'samba-tool ntacl get' sudo samba-tool ntacl get /srv/acl1 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1- 0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f f;;;S-1-5-21-1768301897-3342589593-1064908849-2122) sudo samba-tool ntacl get /srv/acl2 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-1768301897- 3342589593-1064908849- 2122)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;O ICIIO;0x001200a9;;;WD) This results in different output. I then repeated the above with two new shares, but logged into Win10 as myself (a member of Unix Admins and Domain Admins), this time, the outputs of the two samba-tool commands are identical. sudo samba-tool ntacl get /srv/acl3 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1- 0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f f;;;S-1-5-21-1768301897-3342589593-1064908849-2122) sudo samba-tool ntacl get /srv/acl4 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1- 0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f f;;;S-1-5-21-1768301897-3342589593-1064908849-2122) Why do I get different results depending on who is logged into Win10 ? I am going to do some more testing without Administrator. Rowland