samba - Jan 2024 - Behavior of acl_xattr:ignore system acls = yes on a share

On 31.01.2024 11:48, Rowland Penny via samba wrote:
> On Wed, 31 Jan 2024 11:38:31 +0100
> Peter Milesson via samba<samba at lists.samba.org>  wrote:
>
>>
>> On 31.01.2024 10:09, Ralph Boehme via samba wrote:
>>> On 1/31/24 09:50, Peter Milesson via samba wrote:
>>>> The crucial problem here is, that Everyone (yes, really
everyone)
>>>> can write to the root share.
>>> why don't you just change it? That's how it's supposed
to work.
>>>
>>> -slow
>>>
>> Hi Ralph,
>>
>> Unfortunately, that doesn't work. In share permissions,
> Sorry, but you should only modify the 'Security' tab, for which a
> better name would be 'NTFS permissions'
> However, as I have found, you can remove 'EVERYONE' from the
Security
> tab permissions, but it doesn't remove it from the permissions set on
> the actual share directory.
>
> Rowland
>
>> it's not
>> possible to remove Everyone, nor add another security object.
>> Clicking OK, the dialog closes without any errors, but opening it
>> again, Everyone is still there. I was sure to start Computer
>> Management as Administrator.
>>
>> If it would be possible to set share permissions, then it would be
>> usable.
>>
>> Best regards,
>>
>> Peter
>>
>>
>
Hi Rowland,

No, it's not possible to touch anything in the security tab. When 
clicking OK, I get the message "Failed to enumerate objects in the 
container. Access denied"

Best regards,

Peter

On Wed, 31 Jan 2024 12:19:06 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
> 
> On 31.01.2024 11:48, Rowland Penny via samba wrote:
> > On Wed, 31 Jan 2024 11:38:31 +0100
> > Peter Milesson via samba<samba at lists.samba.org>  wrote:
> >
> >>
> >> On 31.01.2024 10:09, Ralph Boehme via samba wrote:
> >>> On 1/31/24 09:50, Peter Milesson via samba wrote:
> >>>> The crucial problem here is, that Everyone (yes, really
everyone)
> >>>> can write to the root share.
> >>> why don't you just change it? That's how it's
supposed to work.
> >>>
> >>> -slow
> >>>
> >> Hi Ralph,
> >>
> >> Unfortunately, that doesn't work. In share permissions,
> > Sorry, but you should only modify the 'Security' tab, for
which a
> > better name would be 'NTFS permissions'
> > However, as I have found, you can remove 'EVERYONE' from the
> > Security tab permissions, but it doesn't remove it from the
> > permissions set on the actual share directory.
> >
> > Rowland
> >
> >> it's not
> >> possible to remove Everyone, nor add another security object.
> >> Clicking OK, the dialog closes without any errors, but opening it
> >> again, Everyone is still there. I was sure to start Computer
> >> Management as Administrator.
> >>
> >> If it would be possible to set share permissions, then it would be
> >> usable.
> >>
> >> Best regards,
> >>
> >> Peter
> >>
> >>
> >
> Hi Rowland,
> 
> No, it's not possible to touch anything in the security tab. When 
> clicking OK, I get the message "Failed to enumerate objects in the 
> container. Access denied"
> 
> Best regards,
> 
> Peter
Hi Peter, did you set 'acl_xattr:ignore system acls = yes' in the share
before you first attempted to change the permissions from Windows, or
after. I ask this because, from my testing, if you set the line before
the first permissions change from Windows, you get the error that you
are now getting.

Rowland