samba - Jan 2024 - Behavior of acl_xattr:ignore system acls = yes on a share

On 1/30/24 20:15, Peter Milesson via samba wrote:
> *Setup shared folder*
> 
>  ?* Create the folder /data/migrtest
>  ?* Set ownership to root:"Domain Admins"
>  ?* chmod 0770 migrtest
iirc this has to be 0777, otherwise the kernel gets in your way. You 
only want Samba to enforce permissions so you have to get the kernel 
filesystem permissions our of the way by goint with 0777.

-slow

-- 
SerNet Samba Team Lead       https://samba.plus/
Samba Team Member             https://samba.org/
SAMBA+ packages              https://samba.plus/
SerNet Samba Support, Consulting and Development

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20240130/3f3b8c4d/OpenPGP_signature.sig>

Perhaps everyone's clear on this - but I thought I should add this, just in
case. (And perhaps the clarification should be added to the wiki.)
When it says "Samba will ignore the standard Unix system ACL's
(ugo)"
This is technically true. HOWEVER!
It only ignores the standard Unix system ACLS as it applies to SAMBA
permissions.

This won't allow Samba to read files that the samba process can't read.
Thus, set them to 0777 so there are no restrictions at the file system
level, and then SAMBA will ignore the Unix ACL's for what permissions it
gives to *SAMBA* users, and apply them purely based on the extended acls
set in Windows, for example.

(Wording that properly is not exactly easy, but hopefully that's helpful.)

On Tue, Jan 30, 2024 at 12:24?PM Ralph Boehme via samba <
samba at lists.samba.org> wrote:
> On 1/30/24 20:15, Peter Milesson via samba wrote:
> > *Setup shared folder*
> >
> >   * Create the folder /data/migrtest
> >   * Set ownership to root:"Domain Admins"
> >   * chmod 0770 migrtest
>
> iirc this has to be 0777, otherwise the kernel gets in your way. You
> only want Samba to enforce permissions so you have to get the kernel
> filesystem permissions our of the way by goint with 0777.
>
> -slow
>
> --
> SerNet Samba Team Lead       https://samba.plus/
> Samba Team Member             https://samba.org/
> SAMBA+ packages              https://samba.plus/
> SerNet Samba Support, Consulting and Development
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>