samba - Jan 2024 - Behavior of acl_xattr:ignore system acls = yes on a share

Hi folks,

It seems that the setting acl_xattr:ignore system acls = yes reduces 
Windows compatibility when defined for a share. In all attempts I have 
used Windows tools (except editing smb.conf)

Assume there is a share, where the files and folders in the share root 
should at least be readable by anybody having access to the share. For 
the sake of simplicity the following permissions apply on the share:

Inheritance disabled
Owner: root (Unix User\root)
Domain Admins: full control (this folder, subfolder and files)
Testgroup: read & execute (this folder, subfolder and files)
System: full control (this folder, subfolder and files)
creator owner: (this folder, subfolder and files)

I want however, to set ownership and access permissions for different 
groups to different sub folders. So with acl_xattr:ignore system acls = 
yes I create the sub folder Testfolder, set testgroup as owner, and 
disabling inheritance. When checking the permissions on the folder with 
getfacl I get:

# file: Testfolder
# owner: testgroup
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
user:testgroup:r-x
group::r-x
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:testgroup:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:user:testgroup:r-x
default:group::r-x
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:group:testgroup:r-x
default:mask::rwx
default:other::---

WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and 
again setting testgroup as owner, and disabling inheritance. The 
resulting getfacl is:

# file: Testfolder2
# owner: testgroup
# group: domain\040admins
user::rwx
user:domain\040admins:rwx
group::rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:testgroup:rwx
mask::rwx
other::---
default:user::rwx
default:user:domain\040admins:rwx
default:user:testgroup:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:group:testgroup:rwx
default:mask::rwx
default:other::---

In the first case (with acl_xattr:ignore system acls = yes), I get 
access denied when trying to create anything whatsoever as a user 
belonging to the testgroup. In the second case, no problem at all to 
create files and folders for the user belonging to the testgroup.

According to the documentation acl_xattr:ignore system acls = yes should 
increase compatibility with Windows. IMHO, it does the opposite. On my 
Windows server I have got no problems at all to define a set of 
permissions for the share, and then tweaking sub folders to what I need.

Either I have completely misunderstood the concept, or there is 
something not working as it should.

I would be very happy to get some explanations.

Member server Debian Bookworm with Samba from backports (4.19.4)

smb.conf below.

Best regards,

Peter


[global]
 ??????? security = ADS
 ??????? server role = member server
 ??????? realm = PRIVATE.TALPS
 ??????? workgroup = PRIVATE
 ??????? dedicated keytab file = /etc/krb5.keytab
 ??????? kerberos method = secrets and keytab
 ??????? log level = 1
 ??????? disable spoolss = Yes
 ??????? printcap name = /dev/null
 ??????? template homedir = /home/%U
 ??????? template shell = /bin/bash
 ??????? timestamp logs = Yes
 ??????? username map = /etc/samba/user.map
 ??????? min domain uid = 0
#??????? winbind enum groups = Yes
#??????? winbind enum users = Yes
 ??????? winbind expand groups = 4
#?????? winbind offline logon = Yes
 ??????? winbind refresh tickets = Yes
 ??????? winbind use default domain = Yes
 ??????? idmap config * : backend = tdb
 ??????? idmap config * : range = 3000-9999
 ??????? idmap config private : backend = rid
 ??????? idmap config private : range = 10000-99999
 ??????? map acl inherit = Yes
 ??????? inherit acls = yes
 ??????? apply group policies = yes
 ??????? vfs objects = acl_xattr

[Migrtest]
 ??????? path = /data/migrtest
 ??????? read only = no
 ??????? acl_xattr:ignore system acls = yes

On Tue, 30 Jan 2024 16:13:41 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
> 
> It seems that the setting acl_xattr:ignore system acls = yes reduces 
> Windows compatibility when defined for a share. In all attempts I
> have used Windows tools (except editing smb.conf)
Lets walk through the relevant part of that parameter:
'ignore system acls'

It does what it says, with it set, Samba totally ignores the Unix acls
you can see with 'ls' and getfacl. You must set the permissions from
Windows and either read them from Windows or with tools such as
'samba-tool ntacl get'.

Rowland

Does you filesystem support extended attributes? What does "|getfattr -n
security.NTACL |filename" return?||

On 30.01.2024 16:13, Peter Milesson wrote:
> Hi folks,
>
> It seems that the setting acl_xattr:ignore system acls = yes reduces
> Windows compatibility when defined for a share. In all attempts I have
> used Windows tools (except editing smb.conf)
>
> Assume there is a share, where the files and folders in the share root
> should at least be readable by anybody having access to the share. For
> the sake of simplicity the following permissions apply on the share:
>
> Inheritance disabled
> Owner: root (Unix User\root)
> Domain Admins: full control (this folder, subfolder and files)
> Testgroup: read & execute (this folder, subfolder and files)
> System: full control (this folder, subfolder and files)
> creator owner: (this folder, subfolder and files)
>
> I want however, to set ownership and access permissions for different
> groups to different sub folders. So with acl_xattr:ignore system acls
> = yes I create the sub folder Testfolder, set testgroup as owner, and
> disabling inheritance. When checking the permissions on the folder
> with getfacl I get:
>
> # file: Testfolder
> # owner: testgroup
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> user:testgroup:r-x
> group::r-x
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:testgroup:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:domain\040admins:rwx
> default:user:testgroup:r-x
> default:group::r-x
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:group:testgroup:r-x
> default:mask::rwx
> default:other::---
>
> WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and
> again setting testgroup as owner, and disabling inheritance. The
> resulting getfacl is:
>
> # file: Testfolder2
> # owner: testgroup
> # group: domain\040admins
> user::rwx
> user:domain\040admins:rwx
> group::rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:testgroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:domain\040admins:rwx
> default:user:testgroup:rwx
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:group:testgroup:rwx
> default:mask::rwx
> default:other::---
>
> In the first case (with acl_xattr:ignore system acls = yes), I get
> access denied when trying to create anything whatsoever as a user
> belonging to the testgroup. In the second case, no problem at all to
> create files and folders for the user belonging to the testgroup.
>
> According to the documentation acl_xattr:ignore system acls = yes
> should increase compatibility with Windows. IMHO, it does the
> opposite. On my Windows server I have got no problems at all to define
> a set of permissions for the share, and then tweaking sub folders to
> what I need.
>
> Either I have completely misunderstood the concept, or there is
> something not working as it should.
>
> I would be very happy to get some explanations.
>
> Member server Debian Bookworm with Samba from backports (4.19.4)
>
> smb.conf below.
>
> Best regards,
>
> Peter
>
>
> [global]
> ??????? security = ADS
> ??????? server role = member server
> ??????? realm = PRIVATE.TALPS
> ??????? workgroup = PRIVATE
> ??????? dedicated keytab file = /etc/krb5.keytab
> ??????? kerberos method = secrets and keytab
> ??????? log level = 1
> ??????? disable spoolss = Yes
> ??????? printcap name = /dev/null
> ??????? template homedir = /home/%U
> ??????? template shell = /bin/bash
> ??????? timestamp logs = Yes
> ??????? username map = /etc/samba/user.map
> ??????? min domain uid = 0
> #??????? winbind enum groups = Yes
> #??????? winbind enum users = Yes
> ??????? winbind expand groups = 4
> #?????? winbind offline logon = Yes
> ??????? winbind refresh tickets = Yes
> ??????? winbind use default domain = Yes
> ??????? idmap config * : backend = tdb
> ??????? idmap config * : range = 3000-9999
> ??????? idmap config private : backend = rid
> ??????? idmap config private : range = 10000-99999
> ??????? map acl inherit = Yes
> ??????? inherit acls = yes
> ??????? apply group policies = yes
> ??????? vfs objects = acl_xattr
>
> [Migrtest]
> ??????? path = /data/migrtest
> ??????? read only = no
> ??????? acl_xattr:ignore system acls = yes
>
>
>
>
--
Sebastian Neustein

Airport Research Center GmbH
Bismarckstra?e 61
52066 Aachen
Germany

Phone: +49 241 16843-23
Fax: +49 241 16843-19
e-mail:sebastian.neustein at arc-aachen.de
Website:http://www.airport-consultants.com

Register Court: Amtsgericht Aachen HRB 7313
Ust-Id-No.: DE196450052

Managing Director:
Dipl.-Ing. Tom Alexander Heuer