Okay then :-( I think I'll have to divide our shares into two categories:
1. One with "nt acl support = no" which I'd consider the
"pure Linux
security" category.
2. Probably another category with "acl_xattr:ignore system acls =
yes", as
a "pure Windows security" category.
It would be better to have an underlying OS with native NFSv4 ACL support
instead of POSIX ACLs, since converting NT ACLs to POSIX ACLs seems to be a
bit problematic nowadays.
Again, thank you very much for all your efforts, especially for reproducing
my issues last weekend.
Sincerely,
Tam?s
Rowland Penny via samba <samba at lists.samba.org> ezt ?rta (id?pont:
2023.
j?n. 16., P, 18:19):
>
>
> On 16/06/2023 16:20, Tam?s N?meth via samba wrote:
> > Dear Rowland,
> >
> > I'm trying to write a single email answering all the question of
your
> > recent emails:
> >
> >
> >> Hi Tamas, I have been reviewing you numerous posts on this list
about
> >> this project, are you aware that you have been posting for 6
months ?
> >
> > Well, not exactly :-) Only 5 months and 5 days :-) However, this
specific
> > thread is only 9 days old. I had a few mails in january, february,
etc.,
> > where I asked for help with the migration of an ancient server. Thank
you
> > for your help with those questions, the migration was successful apart
> from
> > the mentioned "piling up" of POSIX ACLs, which I discovered
9 days ago.
>
> Quite correct, seems I cannot count LOL.
>
> >
> >
> >
> >> [quote]
> >> this "piling up" of ACL information doesn't happen
either on a native
> >> Windows file server or with vfs_acl_xattr
> >> [/quote]
> >> Does this mean you do not have 'vfs objects = acl_xattr'
in your
> smb.conf
> > ?
> >
> > Yes, it means that. I don't have vfs_acl_xattr enabled on our
infamous
> > production server, however, I conducted some experiments on a server
> cloned
> > from it, where I enabled either vfs_acl_xattr or vfs_acl_tdb. I
noticed
> > that SaMBa behaves differently in all three scenarios (1. no VFS
backend,
> > 2. acl_xattr, 3. acl_tdb). This mail contains the details:
> > https://lists.samba.org/archive/samba/2023-June/245479.html Of the
three
> > scenarios, vfs_acl_xattr (plus its option "ignore system acls =
yes")
> seems
> > to be achieving the best results, permissions identical to that of
native
> > Windows.
> >
>
> I think that is your problem, more later.
>
> >
> >
> >
> >> [quote]
> >> this may be the reason why using POSIX ACLs with SaMBa is
deprecated
> >> [/quote]
> >> As far as I am aware, using POSIX ACLs isn't deprecated, is it
possible
> >> you can tell us where you found that information ?
> >
> > OK, I probably misinterpreted or exaggerated two sentence from here:
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
> > The sentences are: "You are advised that a better option than
POSIX draft
> > ACLs is to use Windows ACLs, this will allow you to set up
fine-granular
> > ACLs." and "Linux however, ... here only deprecated POSIX
draft ACLs
> exist."
>
> Yes, you were quite correct (again), it did say 'deprecated', the
thing
> is they were never deprecated (well, not that I have ever found anything
> saying so). As far as I am aware, it was a draft and this was withdrawn,
> but too late, they were already in use and have continued to be used.
>
> >
> >
> >
> >
> >> It might also be a good idea if we could see your present
smb.conf, so
> >> please post the output of 'testparm -s' (sanitised if
must).
> >
> > OK, here is my smb.conf with most of the (very numerous) shares
removed:
> > https://pastebin.com/xWASKir4
> >
> >
> >
> >> Now you can, with 'setfacl' add default permissions, are
these what you
> >> are referring to as 'Posix ACLs' ?
> >
> > When using the phrase "default (POSIX) ACLs" in the mail
> > https://lists.samba.org/archive/samba/2023-June/245540.html I was
> referring
> > to the default ACLs created with the --default option of setfacl.
> >
> >
> >
> >> is Samba causing the problem, or to put it
> >> another way, if the share was on a Windows machine, would the
ACL's get
> >> created differently ?
> >
> > Well, SaMBa with "vfs objects = acl_xattr" +
"acl_xattr:ignore system
> acls
> > = yes" seems to create identical ACLs to those created by
Windows, but
> when
> > relying on solely POSIX ACLs (running SaMBa on Linux / ext4), the ACLs
> > differ from the Windows ones quite a bit. I'm well aware that NFS4
ACLs
> > cannot converted to POSIX ACLs without a loss, but even despite this,
I
> > wouldn't expect two phenomenons to occur to MS Word files edited
by
> > multiple users on a SaMBa server using the configuration from the
> pastebin
> > link above. The two phenomenons (not happening on Windows or SaMBa +
> > "acl_xattr:ignore system acls = yes") are the following:
> >
> > 1. Piling up of UIDs of users who ever edited a DOCX file in the said
> > file's POSIX ACL. This doesn't happen on Windows. Only the
owner changes
> > there when saving an Office document.
> > 2. UIDs and GIDs added to POSIX ACLs as both users and groups without
> > distinction.
> >
> >
>
> This is what I think is happening. Because you are not using
> vfs_acl_xattr, Samba is passing the permissions to the OS (without doing
> anything to them) and the OS is taking them verbatim and setting them.
> If you were to use vfs_acl_xattr, Samba sets the permissions based on
> what Windows says they are and then passes that to the OS. There is
> evidently a vast difference between the two.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>