On Mon, 2022-07-11 at 22:58 -0300, Bailey Allison via samba wrote:> Good evening, > > > > I am currently trying to setup an SMB share using Windows ACLs for > permissions per the article: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >OK, I followed the wiki and added a couple of shares to a Debian Unix domain member running 4.15.7. One had 'acl_xattr:ignore system acls = yes' set, the other didn't. I logged into Win10 as Administrator and opened the Unix computer in Explorer. I then set 'Unix Admins' (which is a member of Domain Admins) to have full permissions on the shares. I did this via the security tab in Properties. Going back to the Unix domain member and checking the permissions on the shares with getfacl, returns this: getfacl /srv/acl1 getfacl: Removing leading '/' from absolute path names # file: srv/acl1 # owner: root # group: unix\040admins user::rwx user:root:rwx group::rwx group:unix\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::r-x default:group:unix\040admins:rwx default:mask::rwx default:other::r-x getfacl /srv/acl2 getfacl: Removing leading '/' from absolute path names # file: srv/acl2 # owner: root # group: unix\040admins user::rwx group::rwx other::--- 'acl2' is the share with 'acl_xattr:ignore system acls = yes' set This is what I would expect. I then checked them with 'samba-tool ntacl get' sudo samba-tool ntacl get /srv/acl1 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1- 0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f f;;;S-1-5-21-1768301897-3342589593-1064908849-2122) sudo samba-tool ntacl get /srv/acl2 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-1768301897- 3342589593-1064908849- 2122)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;O ICIIO;0x001200a9;;;WD) This results in different output. I then repeated the above with two new shares, but logged into Win10 as myself (a member of Unix Admins and Domain Admins), this time, the outputs of the two samba-tool commands are identical. sudo samba-tool ntacl get /srv/acl3 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1- 0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f f;;;S-1-5-21-1768301897-3342589593-1064908849-2122) sudo samba-tool ntacl get /srv/acl4 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1- 0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f f;;;S-1-5-21-1768301897-3342589593-1064908849-2122) Why do I get different results depending on who is logged into Win10 ? I am going to do some more testing without Administrator. Rowland
On Tue, 2022-07-12 at 13:36 +0100, Rowland Penny via samba wrote:> On Mon, 2022-07-11 at 22:58 -0300, Bailey Allison via samba wrote: > > Good evening, > > > > > > > > I am currently trying to setup an SMB share using Windows ACLs for > > permissions per the article: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > > > OK, I followed the wiki and added a couple of shares to a Debian Unix > domain member running 4.15.7. > > One had 'acl_xattr:ignore system acls = yes' set, the other didn't. >I carried out the same tests on another machine (this time using 'rid'), but this computer did not map Administrator to root with a user.map Everything else was the same. Logged into Win10 as Administrator, I couldn't change anything, I expected this. Logged in as myself, I could alter the permissions on the share that didn't have 'acl_xattr:ignore system acls = yes' set, but on the other, I got: An error occured while applying security information to \\mintclient\acltest2 Failed to enumerate objects in the container. Access is denied. When I checked the ACLs with samba-tool, I got these: sudo samba-tool ntacl get /srv/acl1 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1- 0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f f;;;S-1-5-21-1768301897-3342589593-1064908849-2122) sudo samba-tool ntacl get /srv/acl2 --as-sddl O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849- 2122D:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-1768301897- 3342589593-1064908849- 2122)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;O ICIIO;0x001200a9;;;WD) They are different, this is probably to be expected. It looks to me that the user.map is required, but you shouldn't set permissions from Windows as Administrator, you should set them as a user that is a member of 'Administrators' or 'Domain Admins', or is a member of group that is a member of either group. it also looks like you should set 'acl_xattr:ignore system acls = yes' on the shares if setting permissions from Windows, but only if you also set a user.map and never change the permissions as Administrator. Now to phrase all that in a way suitable for the wiki. Rowland