thr3ads.net - samba - [Samba] access "claim types" [Feb 2023]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2023-Feb-10 09:01 UTC

[Samba] access "claim types"

On 10/02/2023 08:38, Stefan G. Weichinger via samba
wrote:> Am 10.02.23 um 09:10 schrieb Rowland Penny via samba:
> 
>>> idmap config * : range = 3000-7999
>>> idmap config * : backend = tdb
>>> idmap config NORAS : range = 10000-20000
>>> idmap config NORAS : backend = rid
>>
>> Is this bad sanitisation ?
>> your workgroup is 'COMP' and the idmap config lines are using
'NORAS',
>> they should be the same.
>>
>> If that isn't it, try looking at dns, with things like this, it is 
>> usually dns.
> 
> no that was just me trying to anonymize things and failing ...
Thought so LOL
> 
> think
> 
> idmap config COMP : range = 10000-20000
> idmap config COMP : backend = rid
> 
> -
> 
> Tested on a test share now.
> 
> That yellow warning still comes, but this "claim types" thing
seems only
> to relate to some conditions
> 
> I googled this image as reference:
> 
>
https://download.huawei.com/mdl/image/download?uuid=8e4e181d5bcd4626ac44ffe959904264
> 
> I was able to add a principal and edit its permission on the testshare.
> 
> The yellow warning is there on shares belonging to root or Administrator 
> (wrong)
Problem is, Administrator shouldn't own anything on Unix.
> 
> -
> 
> Reading 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
> again, sure.
> 
> I don't have "acl_xattr:ignore system acls = yes" ...
changing that
> sounds dangerous, especially while there are dozens of active users on 
> the server right now.
> 
> 
That does exactly what it says, the normal 'ugo' Unix permissions will 
be ignored and only permissions set from Windows (and stored in an EA) 
will be used by Samba.

Rowland

Stefan G. Weichinger

2023-Feb-10 09:14 UTC

head link

[Samba] access "claim types"

Am 10.02.23 um 10:01 schrieb Rowland Penny via samba:
>> The yellow warning is there on shares belonging to root or 
>> Administrator (wrong)
> 
> Problem is, Administrator shouldn't own anything on Unix.
I understand. Will try to change that asap.

But why the warning on shares also where the directory belongs to root 
on the linux filesystem?

Just tested that again with a test share:

chown to root:10512 (domain-admins), chmod 770 ... same yellow warning 
in the dialog (with the 2 corrected DNS-IPs in resolv.conf also)
>> Reading 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
>> again, sure.
>>
>> I don't have "acl_xattr:ignore system acls = yes" ...
changing that
>> sounds dangerous, especially while there are dozens of active users on 
>> the server right now.
> 
> That does exactly what it says, the normal 'ugo' Unix permissions
will
> be ignored and only permissions set from Windows (and stored in an EA) 
> will be used by Samba.
Should I set that or not?

Is there a best practice to fix that on productive machines without 
breaking stuff?

The users work with the shares for years now, I am not even sure if that 
yellow warning for those "claim types" is relevant at all in my case
...
as I seem to be able to add/edit perms anyway.

samba - Feb 2023 - access "claim types"

[Samba] access "claim types"

[Samba] access "claim types"