On 03/10/2022 20:17, Peter Carlson via samba wrote:> > On 10/3/22 11:11, Rowland Penny via samba wrote: >> Remember what I said about 'acl_xattr:ignore system acls = yes', well >> I think this could be the problem, a bit of a chicken and egg problem. >> Until you set the permissions from Windows, it is likely that there >> are no Windows permissions and because you have set the above line, >> you cannot get permission to set them. So try removing the >> 'acl_xattr:ignore system acls = yes' line and try again. >> >> Rowland >> > This did the trick to get permissions set on the share. It is set for > Domain Admins and Domain Users as Full Control. ? I can now connect to > the server as a domain admin and domain user and create a folder and > text file in each folder.? So that's awesome.? Couple of things I noted > which are still outstanding: > > 1.? new folders are created with Read only set, whether created by > member of domain admin or domain user.? I would normally use directory > mask and create mask to control this, but since this is all now > controlled with windows ACLs, I'm not sure how to set a default mask (or > the default group for that matter, peter is a member of Linux Admins, > Domain Admins and Domain Users)Glad you got the permissions set, I will update the wiki. Without that line, you will now have three sets of permissions in play: A) the standard Linux ugo permissions that 'ls' can show B) the extended acls that 'getfacl' will show C) the permissions that you have set from Windows and are stored in an EA Linux will use A & B, Windows will use C if set and if set (without the 'acl_xattr' line), then the Windows permissions will effect the extended acls, if not set, then A & B will be ignored. You can find more about this in 'man vfs_acl_xattr' Rowland
On 10/3/22 12:31, Rowland Penny via samba wrote:> > > On 03/10/2022 20:17, Peter Carlson via samba wrote: >> >> On 10/3/22 11:11, Rowland Penny via samba wrote: >>> Remember what I said about 'acl_xattr:ignore system acls = yes', >>> well I think this could be the problem, a bit of a chicken and egg >>> problem. Until you set the permissions from Windows, it is likely >>> that there are no Windows permissions and because you have set the >>> above line, you cannot get permission to set them. So try removing >>> the 'acl_xattr:ignore system acls = yes' line and try again. >>> >>> Rowland >>> >> This did the trick to get permissions set on the share. It is set for >> Domain Admins and Domain Users as Full Control. ? I can now connect >> to the server as a domain admin and domain user and create a folder >> and text file in each folder.? So that's awesome.? Couple of things I >> noted which are still outstanding: >> >> 1.? new folders are created with Read only set, whether created by >> member of domain admin or domain user.? I would normally use >> directory mask and create mask to control this, but since this is all >> now controlled with windows ACLs, I'm not sure how to set a default >> mask (or the default group for that matter, peter is a member of >> Linux Admins, Domain Admins and Domain Users) > > Glad you got the permissions set, I will update the wiki. > > Without that line, you will now have three sets of permissions in play: > > A) the standard Linux ugo permissions that 'ls' can show > B) the extended acls that 'getfacl' will show > C) the permissions that you have set from Windows and are stored in an EA > > Linux will use A & B, Windows will use C if set and if set (without > the 'acl_xattr' line), then the Windows permissions will effect the > extended acls, if not set, then A & B will be ignored. You can find > more about this in 'man vfs_acl_xattr' > > Rowland >Beer Fund: ? and growing, but honestly I have to admit this is pretty deep ... been using and admin'ing *nix since 1989 and I feel like I'm doing the doggy paddle here. So I? created a 2 new folders as admin and user. Windows sets a newly created folder as Read-Only, but both admins and users can write into both folders after reading that man page and looking at the defaults (directory mask 0777), I see that a) ls shows 777 ??? ??? drwxrwxrwx+ 2 SDCP\peter? SDCP\domain admins 4096 Oct? 3 19:41 test3 b)? getfacl shows the domain groups with rwx (except default group which I'm confused about): ??? ??? root at filesvr2:/data# getfacl test/* ??? ??? # file: test/test3 ??? ??? # owner: SDCP\\office ??? ??? # group: SDCP\\domain\040users ??? ??? user::rwx ??? ??? user:root:rwx ??? ??? user:SDCP\\domain\040users:rwx ??? ??? user:SDCP\\linux\040admins:rwx ??? ??? group::rwx ??? ??? group:SDCP\\domain\040users:rwx ??? ??? group:SDCP\\office:rwx ??? ??? group:SDCP\\linux\040admins:rwx ??? ??? mask::rwx ??? ??? other::rwx ??? ??? default:user::rwx ??? ??? default:user:root:rwx ??? ??? default:user:SDCP\\domain\040users:rwx ??? ??? default:user:SDCP\\office:rwx ??? ??? default:user:SDCP\\linux\040admins:rwx ??? ??? default:group::r-x ??? ??? default:group:SDCP\\domain\040users:rwx ??? ??? default:group:SDCP\\linux\040admins:rwx ??? ??? default:mask::rwx ??? ??? default:other::rwx c) DOSATTRIB is getting set, but not sure if there is a friendly way to show it ??? ??? root at filesvr2:/data# getfattr -n user.DOSATTRIB -d test/* ??? ??? # file: test/test3 user.DOSATTRIB=0sAAAEAAQAAABRAAAAEAAAAJxb7Cpg19hRG8TrKmDX2AE Windows GUI only shows Domain Users once (https://snipboard.io/aliKP2.jpg), but Get-Acl lists domain users twice, once with ReadAndExecute and another with FullControl ??? PS C:\Users\peter.SDCP> Get-Acl \\filesvr2\Test\user | Format-Table -Wrap ??? ??? Directory: \\filesvr2\Test Path Owner Access ---- ----- ------ user SDCP\office Unix User\root Allow? FullControl SDCP\office Allow? FullControl CREATOR OWNER Allow? FullControl SDCP\Domain Users Allow? ReadAndExecute, Synchronize CREATOR GROUP Allow? ReadAndExecute, Synchronize Everyone Allow? FullControl SDCP\Linux Admins Allow? FullControl SDCP\Domain Users Allow? FullControl
Really good info and good change for the wiki! I have found in my testing that you can set acl_xattr:ignore system acls = yes on the share initially but it requires the initial share permission/configuration through Windows to be done via the user rather than group initially. It appears through Windows with it set it then sees the user as having Full Control and the group as Read and Execute on a folder that is setup to be 770 on the Linux server with it enabled, and therefore not just any member of the group can modify permissions on Windows. (ex. 770 is Full Control for user and Read and Execute for group on Windows) With the parameter missing from the share it will then pickup user/group as the equivalent on Linux, and then any member of the group can set permissions on Windows. (ex. 770 is Full Control for user and group on Windows). ex. /mnt/share path is owned by domain\administrator:domain\domain admins, connect to the share as administrator user and then set the permissions through Windows, rather than connect as any member of domain admins and set the permissions through Windows. If we have acl_xattr:ignore system acls = yes, and the path is owned by root:domain\domain admins, we cannot set Windows ACLs as a member of domain admins through Windows, we must change the user to be for example administrator or a member of domain admins so the path is then owned by domain\administrator:domain\domain admins, and then we can set permissions. Of course, the change mentioned on the wiki also completely works fine however just a different method I have found in testing that also works. Regards, Bailey>On 03/10/2022 20:17, Peter Carlson via samba wrote: > > On 10/3/22 11:11, Rowland Penny via samba wrote: >> Remember what I said about 'acl_xattr:ignore system acls = yes', well >> I think this could be the problem, a bit of a chicken and egg problem. >> Until you set the permissions from Windows, it is likely that there >> are no Windows permissions and because you have set the above line, >> you cannot get permission to set them. So try removing the >> 'acl_xattr:ignore system acls = yes' line and try again. >> >> Rowland >> > This did the trick to get permissions set on the share. It is set for > Domain Admins and Domain Users as Full Control. I can now connect to > the server as a domain admin and domain user and create a folder and > text file in each folder. So that's awesome. Couple of things I > noted which are still outstanding: > > 1. new folders are created with Read only set, whether created by > member of domain admin or domain user. I would normally use directory > mask and create mask to control this, but since this is all now > controlled with windows ACLs, I'm not sure how to set a default mask > (or the default group for that matter, peter is a member of Linux > Admins, Domain Admins and Domain Users) > >Glad you got the permissions set, I will update the wiki. > >Without that line, you will now have three sets of permissions in play: > >A) the standard Linux ugo permissions that 'ls' can show >B) the extended acls that 'getfacl' will show >C) the permissions that you have set from Windows and are stored in an EA > >Linux will use A & B, Windows will use C if set and if set (without the 'acl_xattr' line), then the Windows permissions will effect the extended acls, if not set, then A >& B will be ignored. You can find more about this in 'man vfs_acl_xattr' > >Rowland-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba