samba - Jan 2024 - Behavior of acl_xattr:ignore system acls = yes on a share

On Tue, 30 Jan 2024 16:13:41 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
> 
> It seems that the setting acl_xattr:ignore system acls = yes reduces 
> Windows compatibility when defined for a share. In all attempts I
> have used Windows tools (except editing smb.conf)
Lets walk through the relevant part of that parameter:
'ignore system acls'

It does what it says, with it set, Samba totally ignores the Unix acls
you can see with 'ls' and getfacl. You must set the permissions from
Windows and either read them from Windows or with tools such as
'samba-tool ntacl get'.

Rowland

On 1/30/24 16:27, Rowland Penny via samba wrote:
> On Tue, 30 Jan 2024 16:13:41 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
>> Hi folks,
>>
>> It seems that the setting acl_xattr:ignore system acls = yes reduces
>> Windows compatibility when defined for a share. In all attempts I
>> have used Windows tools (except editing smb.conf)
> 
> Lets walk through the relevant part of that parameter:
> 'ignore system acls'
> 
> It does what it says, with it set, Samba totally ignores the Unix acls
> you can see with 'ls' and getfacl. You must set the permissions
from
> Windows and either read them from Windows or with tools such as
> 'samba-tool ntacl get'.
...and you must start with a clean state, iow a share basedirectory that 
doesn't have any POSIX ACEs, just root:Domain Users 0777 or similar. 
"ignore systems acls" only implies Samba will not attempt itself to
map
the NT ACL to a POSIX ACL and apply in on disk. It doesn't apply that 
existing POSIX ACLs will be enforced by the kernel and inheritted by the 
kernel if applicable.

Cheers!
-slow

-- 
SerNet Samba Team Lead       https://samba.plus/
Samba Team Member             https://samba.org/
SAMBA+ packages              https://samba.plus/
SerNet Samba Support, Consulting and Development


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20240130/1a2465e1/OpenPGP_signature.sig>

On 30.01.2024 16:27, Rowland Penny via samba wrote:
> On Tue, 30 Jan 2024 16:13:41 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> It seems that the setting acl_xattr:ignore system acls = yes reduces
>> Windows compatibility when defined for a share. In all attempts I
>> have used Windows tools (except editing smb.conf)
> Lets walk through the relevant part of that parameter:
> 'ignore system acls'
>
> It does what it says, with it set, Samba totally ignores the Unix acls
> you can see with 'ls' and getfacl. You must set the permissions
from
> Windows and either read them from Windows or with tools such as
> 'samba-tool ntacl get'.
>
> Rowland
>
Hi Rowland,

Evidently that's not the case. As I demonstrated, creating a sub folder 
with acl_xattr:ignore system acls = yes active, just made the sub folder 
unusable for my purpose (not writable for neither owner nor group with 
full permissions). I will try what Ralph suggests in a later post.

Thanks for your answer,

Peter