search for: samba_pai

I have just enabled user_xattr on the partition where my samba share is on. Now when I use getfattr I see the extended attribute user.SAMBA_PAI on my files. But ACL inheritance isn't taking place... When I (from within Windows) click on Properties > Security > Advanced an then enable "Allow inheritable permissions..." on a certain file, then the attribute user.SAMBA_PAI disappears and the ACL rights are inherited?! Ch...

...rrently have two test files with different permission settings that I use to try to work out what is going on. If I getfattr -n security.NTACL, the output for each file is slightly different, but smbcacls gives the same output for both files. Uncommenting the map acl inherit line creates the user.SAMBA_PAI, but I don't really have a clue what doing that does or doesn't get me, so not sure whether to use it. I'm pretty sure I want 'ignore system acls' but uncommenting that line results in the test files no longer getting either security.NTACL or user.SAMBA_PAI. I've had a rum...

...other::--- i.e. there are no rights for "other" and no default entries in the Posix ACL (i.e. there is no Posix ACL at all, just plain Linux permissions) getfattr -d -e hex -m - ... shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no "user.SAMBA_PAI=" The Windows security editor, however, has two entries for "Everyone": Allow Everyone None 'This folder only' Allow Everyone Special 'Subfolders and files only', the special rights being read permission. I am wondering where the read permission for 'Subfolde...

...uot;other" and no default entries in the Posix >> ACL (i.e. there is no Posix ACL at all, just plain Linux permissions) >> >> getfattr -d -e hex -m - ... >> shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no >> "user.SAMBA_PAI=" >> >> The Windows security editor, however, has two entries for "Everyone": >> Allow Everyone None??? 'This folder only' >> Allow Everyone Special 'Subfolders and files only', the special rights >> being read permission. >> >&g...

...different permission settings that I > use to try to work out what is going on. If I getfattr -n > security.NTACL, > the output for each file is slightly different, but smbcacls gives the > same output for both files. Uncommenting the map acl inherit line > creates > the user.SAMBA_PAI, but I don't really have a clue what doing that > does or > doesn't get me, so not sure whether to use it. I'm pretty sure I want > 'ignore system acls' but uncommenting that line results in the test files > no longer getting either security.NTACL or user.SAMBA_PAI...

...parameter default "yes". I don't know how this relates to the above parameters. For "store dos attributes" man smb.conf says "This extended attribute is explicitly hidden from smbd clients requesting an EA list". What about "map acl inherit" and user.SAMBA_PAI? Is it safe to have "ea support = yes" and and "map acl inherit = yes"? What are the benefits? thanks Matthias

...Test path = /home/voltest admin users = DOMAINNAME\administrator read only = No inherit acls = Yes map acl inherit = Yes store dos attributes = Yes Though the "inheritable permissions" checkbox stays checked, I *sometimes* see that the user.SAMBA_PAI attribute is getting set: $ getfattr -d /home/voltest/test_folder/foo.doc getfattr: Removing leading '/' from absolute path names # file: home/voltest/test_folder/foo.doc user.DOSATTRIB="0x20" user.SAMBA_PAI=0sAQACAAAAABAnAAABHycAAA== Often, though, it's not set at all. Tha...

...<run a script that fix group permission, prevent settings ACL mask incorrectly> Clearly domains have different SID, and looking (some sample) at permissions in files of a copied profiles and a created one, effectively there's some differences (eg, the copied profiles have no 'user.SAMBA_PAI' extended attributes). So, seems to work but it is not exactly the same thing. Can i be confident that something strage does not brake all things sooner or later? Someone have some feedback on that? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nos...

...ntation of ACLs. Linux is the only common UNIX system which does still not offer standardized NFS4 ACLs actually. On such systems this parameter controls whether?smbd(8)?will attempt to map the 'protected' (don't inherit) flags of the Windows ACLs into an extended attribute called user.SAMBA_PAI (POSIX draft ACL Inheritance). This parameter requires support for extended attributes on the filesystem and allows the Windows ACL editor to store (non-)inheritance information while NT ACLs are mapped best-effort to the POSIX draft ACLs that the OS and filesystem implements. Default:?map acl inh...

..._IFDIR|0755, st_size=6, ...}) = 0 getxattr("/mnt/test/test/0220", "system.posix_acl_default", 0x11fffe940, 132) = -1 ENODATA (No data available) stat("/mnt/test/test/0220", {st_mode=S_IFDIR|0755, st_size=6, ...}) = 0 getxattr("/mnt/test/test/0220", "user.SAMBA_PAI", 0x1207f0aa0, 1024) = -1 ENODATA (No data available) For every folder it wants to delete, it walks all the folders doing this. So for 4k folders we get 16 milion such tests, which take waay too much time. Are these loops necessary? Can they be optimised? We've tested ext3+acl and xfs as...

On Tue, 29 Aug 2023 15:44:35 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > >> In samba the share is: > > I wish people wouldn't do this, if you are going to post a share, > > please post the global section as well. > > Sorry. > > # Global parameters >

...getxattr No data T01|user.DOSATTRIB 7 stat T01/T01.ini 8 opendir T01 9 stat T01/T01.ini 10 stat T01/T01.ini 11 sys_acl_get_file T01/T01.ini 12 getxattr No data T01/T01.ini:user.SAMBA_PAI 13 sys_acl_get_entry 14 sys_acl_get_tag_type 15 sys_acl_get_permset 16 sys_acl_get_perm 17 sys_acl_get_perm 18 sys_acl_get_entry 19 sys_acl_get_tag_type 20 sys_acl_get_permset 21 sys_acl_get_perm 22 sys_acl_get_perm 23 sys_acl_get_entry 24 sys_acl_get_tag_type 25 sys_acl...

> >>>> Run this : getfacl /home/users > >>> getfacl: Removing leading '/' from absolute path names > >>> # file: home/users > >>> # owner: root > >>> # group: A\\domain\040admins > >>> user::rwx > >>> user:root:rwx > >>> user:10512:rwx > >>> group::rwx > >>>

...e Permissions Domain Admins (SAMBA\Domain Admins) -- Full Control Domain Admins (SAMBA\Domain Users) -- Change Security Creator Owner System Domain Admins Domain Users as per samba wiki filesystem: drwxrwx---+ 3 root unix admins 4096 Apr 18 23:38 profiles getfattr profiles # file: profiles user.SAMBA_PAI # getfacl profiles # file: profiles # owner: root # group: unix\040admins user::rwx user:root:rwx group::--- group:NT\040Authority\134system:rwx group:domain\040users:rwx group:unix\040admins:--- mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:NT\040Au...

> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andrew Bartlett via samba > Verzonden: dinsdag 19 februari 2019 18:40 > Aan: Rowland Penny; samba at lists.samba.org > Onderwerp: Re: [Samba] samba acl it > > On Tue, 2019-02-19 at 17:29 +0000, Rowland Penny wrote: > > On Wed, 20 Feb 2019 06:15:17 +1300 > >

...are no rights for "other" and no default entries in the Posix > ACL (i.e. there is no Posix ACL at all, just plain Linux permissions) > > getfattr -d -e hex -m - ... > shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no > "user.SAMBA_PAI=" > > The Windows security editor, however, has two entries for "Everyone": > Allow Everyone None 'This folder only' > Allow Everyone Special 'Subfolders and files only', the special rights > being read permission. > > I am wondering where the...

Hi guys, I have a question about this error. It occurs for some files when I try to backup a file server running Samba on FreeBSD, using aHAXR rsync options. The exact error is : rsync_xal_set: lsetxattr("****","user.SAMBA_PAI") failed: Operation not supported (95) (stars are a real path I cannot provide) The source file is located on a read-only mounted volume snapshot. It appears rsync tries to modify the source for some reason, but this filesystem is mounted read-only. I wonder why rsync try to modify the s...

...>>> ACL (i.e. there is no Posix ACL at all, just plain Linux permissions) >>>>> >>>>> getfattr -d -e hex -m - ... >>>>> shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no >>>>> "user.SAMBA_PAI=" >>>>> >>>>> The Windows security editor, however, has two entries for "Everyone": >>>>> Allow Everyone None??? 'This folder only' >>>>> Allow Everyone Special 'Subfolders and files only', the special rights...

...SAMDOM\domain admins 19 29 avr 11:00 . drwxr-xr-x. 3 root root 18 29 avr 10:10 .. drwxrwx---+ 2 3000000 users 6 29 avr 11:00 Hello I don't know the consequences of those differences from a security point of view, why I have this DOSATTR instead of SAMBA_PAI...

...t; administrator. > > I've tried as a normal user, and logon failed mysteriously (error > starting windows profile services, something like that) and with only > some generic winlogon errors in windows events. > > Probably i've to sythetize correctly the ACL in 'user.SAMBA_PAI' to > have it work, but... it takes less time to move 'Desktop' and some > 'Appdata/Roaming/...' folders. > > > Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' &...