samba - Dec 2022 - windows acls

I am seeing some weird problems with windows acls

At the share (public for all users) I have:

  * root (Unix User\root) : Full control
  * root (Unix Group\root) : Full control
  * Everyone : Full Control
  * CREATOR OWNER : Full Control
  * CREATOR GROUP : Read & execute
  * Everyone : Read & execute
  * Domain Users : Full Control

Inheritance is disabled (button in Computer Management\System 
Tools\Shared Folders\Shares shows "Enable Inheritance")

When I look at one of the folders in the share (mounted at P:\) I see:

  * S-1-5-21-185628584-2620904409-2800336372-1105 : Full Control :
    Inherited From P:\ : This folder only
  * CREATOR OWNER : Full Control : Inherited From P:\ : Subfolders and
    files only
  * Domain Admins : Read & execute : Inherited From P:\ : This folder only
  * CREATOR GROUP : Read & execute : Inherited From P:\ : Subfolders and
    files Only
  * Everyone : Read & execute : Inherited From P:\ : This folder,
    subfolders and files
  * Domain Users : Full control : Inherited From P:\ : This folder,
    subfolders and files

1) S-1-5-21-185628584-2620904409-2800336372-1105 - Should I delete 
this?? it seems to be a broken permission from a previous config?

2) If inheritance is disabled, why do the folders in the share show 
inherited from P:\ ?

3) I am a member of Domain Users and Domain Admins.? I can see files in 
P:\ but I cant overwrite them or delete them.? It seems to be using the 
permissions of Domain Admins R+X and not Domain Users Full Control.? yes 
I know the permissions seem backwards, which is another issue, however 
shouldn't it allow me write access since I am also a member of Domain 
Users ?

Thanks! Peter

On 13/12/2022 18:19, Peter Carlson via samba wrote:
> I am seeing some weird problems with windows acls
> 
> At the share (public for all users) I have:
> 
>  ?* root (Unix User\root) : Full control
>  ?* root (Unix Group\root) : Full control
>  ?* Everyone : Full Control
>  ?* CREATOR OWNER : Full Control
>  ?* CREATOR GROUP : Read & execute
>  ?* Everyone : Read & execute
>  ?* Domain Users : Full Control
> 
> Inheritance is disabled (button in Computer Management\System 
> Tools\Shared Folders\Shares shows "Enable Inheritance")
> 
> When I look at one of the folders in the share (mounted at P:\) I see:
> 
>  ?* S-1-5-21-185628584-2620904409-2800336372-1105 : Full Control :
>  ?? Inherited From P:\ : This folder only
>  ?* CREATOR OWNER : Full Control : Inherited From P:\ : Subfolders and
>  ?? files only
>  ?* Domain Admins : Read & execute : Inherited From P:\ : This folder
only
>  ?* CREATOR GROUP : Read & execute : Inherited From P:\ : Subfolders
and
>  ?? files Only
>  ?* Everyone : Read & execute : Inherited From P:\ : This folder,
>  ?? subfolders and files
>  ?* Domain Users : Full control : Inherited From P:\ : This folder,
>  ?? subfolders and files
> 
> 1) S-1-5-21-185628584-2620904409-2800336372-1105 - Should I delete 
> this?? it seems to be a broken permission from a previous config?
Is 'S-1-5-21-185628584-2620904409-2800336372' the domain SID ?
Who or what is the RID 1105 ?
> 
> 2) If inheritance is disabled, why do the folders in the share show 
> inherited from P:\ ?
> 
> 3) I am a member of Domain Users and Domain Admins.? I can see files in 
> P:\ but I cant overwrite them or delete them.? It seems to be using the 
> permissions of Domain Admins R+X and not Domain Users Full Control.? yes 
> I know the permissions seem backwards, which is another issue, however 
> shouldn't it allow me write access since I am also a member of Domain 
> Users ?
> 
> Thanks! Peter
> 
Can you post the output of the following commands run on the machine 
that holds the share:

ls -lad /path/to/share/directory

getfacl /path/to/share/directory

samba-tool ntacl get /path/to/share/directory --as-sddl

Can you also post the smb.conf from the same machine.

Rowland