On 7/12/22 03:58, Bailey Allison via samba wrote:> In addition, I have changed the permissions on the shared directory to: > > chmod 0770 /mnt/smb > chown root:"DOMAIN\Domain Admins" /mnt/smbI guess this isn't really obvious from the manpage, but you're supposed to set the directory to 0777 so the module can implement the permission evaluation in userspace based on the contents of the NT ACL stored in an xattr, without interference of filesystem permissions. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220712/8baa302f/OpenPGP_signature.sig>
On Tue, 2022-07-12 at 09:53 +0200, Ralph Boehme via samba wrote:> On 7/12/22 03:58, Bailey Allison via samba wrote: > > In addition, I have changed the permissions on the shared directory > > to: > > > > chmod 0770 /mnt/smb > > chown root:"DOMAIN\Domain Admins" /mnt/smb > I guess this isn't really obvious from the manpage, but you're > supposed > to set the directory to 0777 so the module can implement the > permission > evaluation in userspace based on the contents of the NT ACL stored in > an > xattr, without interference of filesystem permissions.No, it isn't obvious and that would allow anyone that gets local access to the samba server access to the shares directory. Rowland