[Samba] SaMBa 4.16.4 adds users to ACLs as groups

Rowland Penny rpenny at samba.org
Fri Jun 16 16:18:13 UTC 2023 


On 16/06/2023 16:20, Tamás Németh via samba wrote:
> Dear Rowland,
> 
> I'm trying to write a single email answering all the question of your
> recent emails:
> 
> 
>> Hi Tamas, I have been reviewing you numerous posts on this list about
>> this project, are you aware that you have been posting for 6 months ?
> 
> Well, not exactly :-) Only 5 months and 5 days :-) However, this specific
> thread is only 9 days old. I had a few mails in january, february, etc.,
> where I asked for help with the migration of an ancient server. Thank you
> for your help with those questions, the migration was successful apart from
> the mentioned "piling up" of POSIX ACLs, which I discovered 9 days ago.

Quite correct, seems I cannot count LOL.

> 
> 
> 
>> [quote]
>> this "piling up" of ACL information doesn't happen either on a native
>> Windows file server or with vfs_acl_xattr
>> [/quote]
>> Does this mean you do not have 'vfs objects = acl_xattr' in your smb.conf
> ?
> 
> Yes, it means that. I don't have vfs_acl_xattr enabled on our infamous
> production server, however, I conducted some experiments on a server cloned
> from it, where I enabled either vfs_acl_xattr or vfs_acl_tdb. I noticed
> that SaMBa behaves differently in all three scenarios (1. no VFS backend,
> 2. acl_xattr, 3. acl_tdb). This mail contains the details:
> https://lists.samba.org/archive/samba/2023-June/245479.html Of the three
> scenarios, vfs_acl_xattr (plus its option "ignore system acls = yes") seems
> to be achieving the best results, permissions identical to that of native
> Windows.
> 

I think that is your problem, more later.

> 
> 
> 
>> [quote]
>> this may be the reason why using POSIX ACLs with SaMBa is deprecated
>> [/quote]
>> As far as I am aware, using POSIX ACLs isn't deprecated, is it possible
>> you can tell us where you found that information ?
> 
> OK, I probably misinterpreted or exaggerated two sentence from here:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
> The sentences are: "You are advised that a better option than POSIX draft
> ACLs is to use Windows ACLs, this will allow you to set up fine-granular
> ACLs." and "Linux however, ... here only deprecated POSIX draft ACLs exist."

Yes, you were quite correct (again), it did say 'deprecated', the thing 
is they were never deprecated (well, not that I have ever found anything 
saying so). As far as I am aware, it was a draft and this was withdrawn, 
but too late, they were already in use and have continued to be used.

> 
> 
> 
> 
>> It might also be a good idea if we could see your present smb.conf, so
>> please post the output of 'testparm -s' (sanitised if must).
> 
> OK, here is my smb.conf with most of the (very numerous) shares removed:
> https://pastebin.com/xWASKir4
> 
> 
> 
>> Now you can, with 'setfacl' add default permissions, are these what you
>> are referring to as 'Posix ACLs' ?
> 
> When using the phrase "default (POSIX) ACLs" in the mail
> https://lists.samba.org/archive/samba/2023-June/245540.html I was referring
> to the default ACLs created with the --default option of setfacl.
> 
> 
> 
>> is Samba causing the problem, or to put it
>> another way, if the share was on a Windows machine, would the ACL's get
>> created differently ?
> 
> Well, SaMBa with "vfs objects = acl_xattr" + "acl_xattr:ignore system acls
> = yes" seems to create identical ACLs to those created by Windows, but when
> relying on solely POSIX ACLs (running SaMBa on Linux / ext4), the ACLs
> differ from the Windows ones quite a bit. I'm well aware that NFS4 ACLs
> cannot converted to POSIX ACLs without a loss, but even despite this, I
> wouldn't expect two phenomenons to occur to MS Word files edited by
> multiple users on a SaMBa server using the configuration from the pastebin
> link above. The two phenomenons (not happening on Windows or SaMBa +
> "acl_xattr:ignore system acls = yes") are the following:
> 
> 1. Piling up of UIDs of users who ever edited a DOCX file in the said
> file's POSIX ACL. This doesn't happen on Windows. Only the owner changes
> there when saving an Office document.
> 2. UIDs and GIDs added to POSIX ACLs as both users and groups without
> distinction.
> 
> 

This is what I think is happening. Because you are not using 
vfs_acl_xattr, Samba is passing the permissions to the OS (without doing 
anything to them) and the OS is taking them verbatim and setting them. 
If you were to use vfs_acl_xattr, Samba sets the permissions based on 
what Windows says they are and then passes that to the OS. There is 
evidently a vast difference between the two.

Rowland

More information about the samba mailing list