thr3ads.net - samba - [Samba] SMB Windows ACL functionality [Jul 2022]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2022-Jul-12 14:43 UTC

[Samba] SMB Windows ACL functionality

On Tue, 2022-07-12 at 13:36 +0100, Rowland Penny via samba
wrote:> On Mon, 2022-07-11 at 22:58 -0300, Bailey Allison via samba wrote:
> > Good evening,
> > 
> >  
> > 
> > I am currently trying to setup an SMB share using Windows ACLs for
> > permissions per the article:
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > 
> 
> OK, I followed the wiki and added a couple of shares to a Debian Unix
> domain member running 4.15.7.
> 
> One had 'acl_xattr:ignore system acls = yes' set, the other
didn't.
> 
I carried out the same tests on another machine (this time using
'rid'), but this computer did not map Administrator to root with a
user.map

Everything else was the same.
Logged into Win10 as Administrator, I couldn't change anything, I
expected this.

Logged in as myself, I could alter the permissions on the share that
didn't have 'acl_xattr:ignore system acls = yes' set, but on the
other,
I got:

An error occured while applying security information to
\\mintclient\acltest2

Failed to enumerate objects in the container. Access is denied.

When I checked the ACLs with samba-tool, I got these:

sudo samba-tool ntacl get /srv/acl1 --as-sddl
O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849-
2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-
0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f
f;;;S-1-5-21-1768301897-3342589593-1064908849-2122)

sudo samba-tool ntacl get /srv/acl2 --as-sddl
O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849-
2122D:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-1768301897-
3342589593-1064908849-
2122)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;O
ICIIO;0x001200a9;;;WD)

They are different, this is probably to be expected.

It looks to me that the user.map is required, but you shouldn't set
permissions from Windows as Administrator, you should set them as a
user that is a member of 'Administrators' or 'Domain Admins', or
is a
member of group that is a member of either group.

it also looks like you should set 'acl_xattr:ignore system acls = yes'
on the shares if setting permissions from Windows, but only if you also
set a user.map and never change the permissions as Administrator.

Now to phrase all that in a way suitable for the wiki.

Rowland

Ralph Boehme

2022-Jul-12 15:08 UTC

head link

[Samba] SMB Windows ACL functionality

On 7/12/22 16:43, Rowland Penny via samba wrote:> it also looks like you should set 'acl_xattr:ignore system acls =
yes'
> on the shares if setting permissions from Windows, but only if you also
> set a user.map and never change the permissions as Administrator.
please be extra careful there,  as this very much sounds more like bugs 
then expected behaviour...

Thanks!
-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20220712/41dcddad/OpenPGP_signature.sig>

samba - Jul 2022 - SMB Windows ACL functionality

[Samba] SMB Windows ACL functionality

[Samba] SMB Windows ACL functionality