samba - Jan 2024 - Behavior of acl_xattr:ignore system acls = yes on a share

On 1/31/24 12:02, Rowland Penny via samba wrote:
> Which looks correct to myself, so a bug ?
something to look into in more detail, ie logs and network traces. :)

-slow

-- 
SerNet Samba Team Lead       https://samba.plus/
Samba Team Member             https://samba.org/
SAMBA+ packages              https://samba.plus/
SerNet Samba Support, Consulting and Development

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20240131/ed2b9caa/OpenPGP_signature.sig>

Problem solved (I hope)!

On 31.01.2024 12:40, Ralph Boehme via samba wrote:
> On 1/31/24 12:02, Rowland Penny via samba wrote:
>> Which looks correct to myself, so a bug ?
> something to look into in more detail, ie logs and network traces. :)
>
> -slow
Hi folks,

I added the following parameter to the share definition in smb.conf:

acl_xattr:default acl style = windows

Now the share definition is:

[Migrtest]
 ??????? path = /data/migrtest
 ??????? read only = no
 ??????? acl_xattr:ignore system acls = yes
 ??????? acl_xattr:default acl style = windows

What I do now is the following:

  * Create the folder for the share

  * Set ownership root:"Domain Admins"

  * Set permissions on the folder 0777

  * Make sure the share is defined in smb.conf as above

  * smbcontrol smbd reload-config && smbcontrol winbind reload-config

  * Open Computer Management in Windows as a user with domain admin
    privileges

  * Connect to the Samba machine (not mentioning the quirky steps here...)

  * Click on the share that shows up and select Properties

  * Go to the Security tab

  * The security tab is blank at first, with information that you need
    read permissions to view the properties of this object.

  * Click Advanced

  * Change ownership to Domain Admins and mark Replace owner on
    subcontainers and objects (I don't know if this is necessary, at
    least it does not seem harmful)

  * A message pops up, that I do not have permissions to read the
    contents of directory bla, bla, bla. Click OK

  * Right click on the share and select refresh

  * Right click on the share again and select Properties

  * Go to the Security tab

  * Now, there should be one entry.

  * Add any security objects and permissions you want for the share

  * (I don't know if inheritance should be disabled, or not. Please
    advice if you have got useful information here).

  * Start using the share

Seems to work well enough.

Best regards,

Peter