Peter Milesson
2024-Jan-30 15:13 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Hi folks, It seems that the setting acl_xattr:ignore system acls = yes reduces Windows compatibility when defined for a share. In all attempts I have used Windows tools (except editing smb.conf) Assume there is a share, where the files and folders in the share root should at least be readable by anybody having access to the share. For the sake of simplicity the following permissions apply on the share: Inheritance disabled Owner: root (Unix User\root) Domain Admins: full control (this folder, subfolder and files) Testgroup: read & execute (this folder, subfolder and files) System: full control (this folder, subfolder and files) creator owner: (this folder, subfolder and files) I want however, to set ownership and access permissions for different groups to different sub folders. So with acl_xattr:ignore system acls = yes I create the sub folder Testfolder, set testgroup as owner, and disabling inheritance. When checking the permissions on the folder with getfacl I get: # file: Testfolder # owner: testgroup # group: domain\040admins user::rwx user:root:rwx user:domain\040admins:rwx user:testgroup:r-x group::r-x group:NT\040Authority\\system:rwx group:domain\040admins:rwx group:testgroup:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:domain\040admins:rwx default:user:testgroup:r-x default:group::r-x default:group:NT\040Authority\\system:rwx default:group:domain\040admins:rwx default:group:testgroup:r-x default:mask::rwx default:other::--- WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and again setting testgroup as owner, and disabling inheritance. The resulting getfacl is: # file: Testfolder2 # owner: testgroup # group: domain\040admins user::rwx user:domain\040admins:rwx group::rwx group:NT\040Authority\\system:rwx group:domain\040admins:rwx group:testgroup:rwx mask::rwx other::--- default:user::rwx default:user:domain\040admins:rwx default:user:testgroup:rwx default:group::--- default:group:NT\040Authority\\system:rwx default:group:domain\040admins:rwx default:group:testgroup:rwx default:mask::rwx default:other::--- In the first case (with acl_xattr:ignore system acls = yes), I get access denied when trying to create anything whatsoever as a user belonging to the testgroup. In the second case, no problem at all to create files and folders for the user belonging to the testgroup. According to the documentation acl_xattr:ignore system acls = yes should increase compatibility with Windows. IMHO, it does the opposite. On my Windows server I have got no problems at all to define a set of permissions for the share, and then tweaking sub folders to what I need. Either I have completely misunderstood the concept, or there is something not working as it should. I would be very happy to get some explanations. Member server Debian Bookworm with Samba from backports (4.19.4) smb.conf below. Best regards, Peter [global] ??????? security = ADS ??????? server role = member server ??????? realm = PRIVATE.TALPS ??????? workgroup = PRIVATE ??????? dedicated keytab file = /etc/krb5.keytab ??????? kerberos method = secrets and keytab ??????? log level = 1 ??????? disable spoolss = Yes ??????? printcap name = /dev/null ??????? template homedir = /home/%U ??????? template shell = /bin/bash ??????? timestamp logs = Yes ??????? username map = /etc/samba/user.map ??????? min domain uid = 0 #??????? winbind enum groups = Yes #??????? winbind enum users = Yes ??????? winbind expand groups = 4 #?????? winbind offline logon = Yes ??????? winbind refresh tickets = Yes ??????? winbind use default domain = Yes ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-9999 ??????? idmap config private : backend = rid ??????? idmap config private : range = 10000-99999 ??????? map acl inherit = Yes ??????? inherit acls = yes ??????? apply group policies = yes ??????? vfs objects = acl_xattr [Migrtest] ??????? path = /data/migrtest ??????? read only = no ??????? acl_xattr:ignore system acls = yes
Rowland Penny
2024-Jan-30 15:27 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
On Tue, 30 Jan 2024 16:13:41 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> Hi folks, > > It seems that the setting acl_xattr:ignore system acls = yes reduces > Windows compatibility when defined for a share. In all attempts I > have used Windows tools (except editing smb.conf)Lets walk through the relevant part of that parameter: 'ignore system acls' It does what it says, with it set, Samba totally ignores the Unix acls you can see with 'ls' and getfacl. You must set the permissions from Windows and either read them from Windows or with tools such as 'samba-tool ntacl get'. Rowland
Sebastian Neustein
2024-Jan-31 12:25 UTC
[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Does you filesystem support extended attributes? What does "|getfattr -n security.NTACL |filename" return?|| On 30.01.2024 16:13, Peter Milesson wrote:> Hi folks, > > It seems that the setting acl_xattr:ignore system acls = yes reduces > Windows compatibility when defined for a share. In all attempts I have > used Windows tools (except editing smb.conf) > > Assume there is a share, where the files and folders in the share root > should at least be readable by anybody having access to the share. For > the sake of simplicity the following permissions apply on the share: > > Inheritance disabled > Owner: root (Unix User\root) > Domain Admins: full control (this folder, subfolder and files) > Testgroup: read & execute (this folder, subfolder and files) > System: full control (this folder, subfolder and files) > creator owner: (this folder, subfolder and files) > > I want however, to set ownership and access permissions for different > groups to different sub folders. So with acl_xattr:ignore system acls > = yes I create the sub folder Testfolder, set testgroup as owner, and > disabling inheritance. When checking the permissions on the folder > with getfacl I get: > > # file: Testfolder > # owner: testgroup > # group: domain\040admins > user::rwx > user:root:rwx > user:domain\040admins:rwx > user:testgroup:r-x > group::r-x > group:NT\040Authority\\system:rwx > group:domain\040admins:rwx > group:testgroup:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:domain\040admins:rwx > default:user:testgroup:r-x > default:group::r-x > default:group:NT\040Authority\\system:rwx > default:group:domain\040admins:rwx > default:group:testgroup:r-x > default:mask::rwx > default:other::--- > > WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and > again setting testgroup as owner, and disabling inheritance. The > resulting getfacl is: > > # file: Testfolder2 > # owner: testgroup > # group: domain\040admins > user::rwx > user:domain\040admins:rwx > group::rwx > group:NT\040Authority\\system:rwx > group:domain\040admins:rwx > group:testgroup:rwx > mask::rwx > other::--- > default:user::rwx > default:user:domain\040admins:rwx > default:user:testgroup:rwx > default:group::--- > default:group:NT\040Authority\\system:rwx > default:group:domain\040admins:rwx > default:group:testgroup:rwx > default:mask::rwx > default:other::--- > > In the first case (with acl_xattr:ignore system acls = yes), I get > access denied when trying to create anything whatsoever as a user > belonging to the testgroup. In the second case, no problem at all to > create files and folders for the user belonging to the testgroup. > > According to the documentation acl_xattr:ignore system acls = yes > should increase compatibility with Windows. IMHO, it does the > opposite. On my Windows server I have got no problems at all to define > a set of permissions for the share, and then tweaking sub folders to > what I need. > > Either I have completely misunderstood the concept, or there is > something not working as it should. > > I would be very happy to get some explanations. > > Member server Debian Bookworm with Samba from backports (4.19.4) > > smb.conf below. > > Best regards, > > Peter > > > [global] > ??????? security = ADS > ??????? server role = member server > ??????? realm = PRIVATE.TALPS > ??????? workgroup = PRIVATE > ??????? dedicated keytab file = /etc/krb5.keytab > ??????? kerberos method = secrets and keytab > ??????? log level = 1 > ??????? disable spoolss = Yes > ??????? printcap name = /dev/null > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? timestamp logs = Yes > ??????? username map = /etc/samba/user.map > ??????? min domain uid = 0 > #??????? winbind enum groups = Yes > #??????? winbind enum users = Yes > ??????? winbind expand groups = 4 > #?????? winbind offline logon = Yes > ??????? winbind refresh tickets = Yes > ??????? winbind use default domain = Yes > ??????? idmap config * : backend = tdb > ??????? idmap config * : range = 3000-9999 > ??????? idmap config private : backend = rid > ??????? idmap config private : range = 10000-99999 > ??????? map acl inherit = Yes > ??????? inherit acls = yes > ??????? apply group policies = yes > ??????? vfs objects = acl_xattr > > [Migrtest] > ??????? path = /data/migrtest > ??????? read only = no > ??????? acl_xattr:ignore system acls = yes > > > >-- Sebastian Neustein Airport Research Center GmbH Bismarckstra?e 61 52066 Aachen Germany Phone: +49 241 16843-23 Fax: +49 241 16843-19 e-mail:sebastian.neustein at arc-aachen.de Website:http://www.airport-consultants.com Register Court: Amtsgericht Aachen HRB 7313 Ust-Id-No.: DE196450052 Managing Director: Dipl.-Ing. Tom Alexander Heuer
Apparently Analagous Threads
- Behavior of acl_xattr:ignore system acls = yes on a share
- Behavior of acl_xattr:ignore system acls = yes on a share
- Extended ACL stealing ownership on 3.2.7
- Unable to use BUILTIN AD groups on a domain member
- Unable to use BUILTIN AD groups on a domain member