samba - Oct 2022 - Windows ACLs

On 03/10/2022 15:38, Peter Carlson via samba wrote:
> I am trying to set up a samba file server with the following 2 
> characteristics:
> 1) use RSAT tools to set ACLs
No you are not ;-)
> 2) new folders / files need to have group write permissions
>  ?? ?ie: UserData = Domain Users
>  ?? ?ie: AdminData = Domain Admins
>  ?? ?ie: Accounting = Accounting
> 
> I think I'm about 90% of the way there after reading and following this
> guide: 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
I think you are about 90% away from setting up the permissions
Try this smb.conf:

[global]
security = ads
idmap config SDCP : range = 2000000-2999999
idmap config SDCP : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind refresh tickets = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = yes

[Test]
     path = /data/test
     comment = test
     read only = no
     acl_xattr:ignore system acls = yes

The last line in the share is interesting, it means what it it says, 
ignore the system (Linux) acls, you can set these to what you like and 
Samba WILL ignore them.

I suggest you read the wiki page again and follow it to the letter. you 
may also need to install the 'acl' and 'attr' packages.

You should also be aware that synology uses its own version of Samba, so 
something of theirs could be getting in the way, this is just a possibility.

PreScript: I am willing to purchase support if that is an option

> You should also be aware that synology uses its own version of Samba, 
> so something of theirs could be getting in the way, this is just a 
> possibility.
noted - just a point of clarification, the snyology is only serving AD, 
the file server is ubuntu

> I suggest you read the wiki page again and follow it to the letter.
ok, I spun up a new server for testing, should have done that 
before...that gives us a clean place to start.? So following the wiki 
step by step (error appears in step 7 and a snip of it is here: 
https://snipboard.io/3dlDyi.jpg ):

1) Preparing the Host - host is joined to the domain
 ?? ?root at filesvr2:/data# getent passwd SDCP\\peter
 ?? ?SDCP\peter:*:2001105:2000512::/home/peter at SDCP:/bin/bash

2) File System Support - all requirements met
 ?? ?ext4 with the appropriate options
 ?? ???? root at filesvr2:/data# grep EXT4 /boot/config-`uname -r`
 ?? ???? CONFIG_EXT4_FS_POSIX_ACL=y
 ?? ???? CONFIG_EXT4_FS_SECURITY=y
 ?? ?acl, attr and xattr installed
 ?? ???? root at filesvr2:/data# apt search attr | grep -i installed
 ?? ???? attr/jammy,now 1:2.5.1-1build1 amd64 [installed,automatic]

 ?? ???? root at filesvr2:/data# apt search acl | grep -i installed
 ?? ???? acl/jammy,now 2.3.1-1 amd64 [installed]

 ?? ???? root at filesvr2:/data# apt search xattr | grep -i install
 ?? ???? xattr/jammy,now 0.9.7-1build4 amd64 [installed]

3) Samba has extended ACL support
 ?? ?root at filesvr2:/data# smbd -b | grep HAVE_LIBACL
 ?? ??? HAVE_LIBACL

4) Enabled Extended ACL
 ?? ?see smb.conf below

5) Granting the SeDiskOperatorPrivilege Privilege
 ?? ?root at filesvr2:/data# net rpc rights list privileges 
SeDiskOperatorPrivilege -U "SDCP\administrator"
 ?? ?Password for [SDCP\administrator]:
 ?? ?SeDiskOperatorPrivilege:
 ?? ?? SDCP\Linux Admins
 ?? ?? BUILTIN\Administrators

6) Added the share and set ownership as shown
 ??? root at filesvr2:/data# mkdir test
 ??? root at filesvr2:/data# chown root:"SDCP\Linux Admins" test
 ??? root at filesvr2:/data# chmod 0770 test
 ??? root at filesvr2:/data# ls -l
 ?? ?total 4
 ?? ?drwxrwx--- 2 root SDCP\linux admins 4096 Oct? 3 17:04 test

7) switch to windows and connect via computer management
 ?? ?shares/Test has Share Permissions of Everyone = Full Control, 
Change, Read
_*Security Tab, Linux Admins has no permissions set at all.? I try to 
select them and get Access Denied*_
 ?? ?getfacl shows rwx for user and group: root at filesvr2:/data# getfacl test
 ?? ???? # file: test
 ?? ???? # owner: root
 ?? ???? # group: SDCP\\linux\040admins
 ?? ???? user::rwx
 ?? ???? group::rwx
 ?? ???? other::---

 ?? ?root at filesvr2:/data# xattr -p security.NTACL test
 ?? ?No such xattr: security.NTACL
 ?? ?root at filesvr2:/data# xattr test

smb.conf:
root at filesvr2:/data# cat /etc/samba/smb.conf
[global]
workgroup = SDCP
kerberos method = secrets and keytab
realm = SA*****NT.LOCAL
template shell = /bin/bash

security = ads
idmap config SDCP : range = 2000000-2999999
idmap config SDCP : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind refresh tickets = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = yes

[Test]
 ??? path = /data/test
 ??? comment = test
 ??? read only = no
 ??? acl_xattr:ignore system acls = yes