samba - Nov 2023 - Setting up Profiles share... 777?!

In a fresh samba AD domain i'm setting up the 'Profiles' share for
roaming
profiles, following the wiki:

	https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
	https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

leading to:

 [profiles]
	comment = Network Profiles Share
	csc policy = disable
	map acl inherit = Yes
	path = /srv/samba/profiles
	read only = No
	vfs objects = acl_xattr
	acl_xattr:default acl style = windows
	acl_xattr:ignore system acls = yes

But failing to create profiles for users; after fiddling a bit, i was forced
to have '/srv/samba/profiles' as 775 :unixadm (a group member of
'Domain
Aministrators') and profile folders get created '777':

 root at vdmacpn1:~# ls -la /srv/samba/profiles/
 totale 16
 drwxrwxr-x  7 gaio    unixadm        92 28 nov 15.49 .
 drwxrwxr-x  5 root    root           54  2 nov 19.24 ..
 drwxrwxrwx  2 daniela segreteria      6  4 nov 10.57 daniela.V2
 drwxrwxrwx 16 daniela segreteria    281 25 nov 11.59 daniela.V6
 drwxrwxrwx 15 gaio    domain users  272 28 nov 15.49 gaio.V2
 drwxrwxrwx 15 gaio    sa           4096 28 nov 14.47 gaio.V2.good
 drwxrwxrwx 17 gaio    sa           4096  4 nov 11.57 gaio.V6

This seems a little strange and dangerous to me.


What i'm missing?! Thanks.

-- 
  Stiamo arrivando a Beziers. Attento alle curve.
			(Claudio, in auto con Igor diretto in Spagna)

On Tue, 28 Nov 2023 16:00:22 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> In a fresh samba AD domain i'm setting up the 'Profiles' share
for
> roaming profiles, following the wiki:
> 
> 	https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> 	https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> leading to:
> 
>  [profiles]
> 	comment = Network Profiles Share
> 	csc policy = disable
> 	map acl inherit = Yes
> 	path = /srv/samba/profiles
> 	read only = No
> 	vfs objects = acl_xattr
> 	acl_xattr:default acl style = windows
> 	acl_xattr:ignore system acls = yes
Why have you added those two last lines ?
> 
> But failing to create profiles for users; after fiddling a bit, i was
> forced to have '/srv/samba/profiles' as 775 :unixadm (a group
member
> of 'Domain Aministrators') and profile folders get created
'777':
> 
>  root at vdmacpn1:~# ls -la /srv/samba/profiles/
>  totale 16
>  drwxrwxr-x  7 gaio    unixadm        92 28 nov 15.49 .
>  drwxrwxr-x  5 root    root           54  2 nov 19.24 ..
>  drwxrwxrwx  2 daniela segreteria      6  4 nov 10.57 daniela.V2
>  drwxrwxrwx 16 daniela segreteria    281 25 nov 11.59 daniela.V6
>  drwxrwxrwx 15 gaio    domain users  272 28 nov 15.49 gaio.V2
>  drwxrwxrwx 15 gaio    sa           4096 28 nov 14.47 gaio.V2.good
>  drwxrwxrwx 17 gaio    sa           4096  4 nov 11.57 gaio.V6
> 
> This seems a little strange and dangerous to me.
> 
> 
> What i'm missing?! Thanks.
Well, because you have added this line:

acl_xattr:ignore system acls = yes

It does exactly what it says, Samba ignores the Unix attrs, the 'ugo'
ones (rwx), so what have you set from Windows ?

You can read these on Linux with:
sudo samba-tool ntacl get /srv/samba/profiles --as-sddl

Rowland