[Samba] SaMBa 4.16.4 adds users to ACLs as groups

Tue Jun 20 08:38:37 UTC 2023

Okay then :-( I think I'll have to divide our shares into two categories:

1. One with "nt acl support = no" which I'd consider the "pure Linux
security" category.
2. Probably another category with "acl_xattr:ignore system acls = yes", as
a "pure Windows security" category.

It would be better to have an underlying OS with native NFSv4 ACL support
instead of POSIX ACLs, since converting NT ACLs to POSIX ACLs seems to be a
bit problematic nowadays.

Again, thank you very much for all your efforts, especially for reproducing
my issues last weekend.

Sincerely,
Tamás

Rowland Penny via samba <samba at lists.samba.org> ezt írta (időpont: 2023.
jún. 16., P, 18:19):

>
>
> On 16/06/2023 16:20, Tamás Németh via samba wrote:
> > Dear Rowland,
> >
> > I'm trying to write a single email answering all the question of your
> > recent emails:
> >
> >
> >> Hi Tamas, I have been reviewing you numerous posts on this list about
> >> this project, are you aware that you have been posting for 6 months ?
> >
> > Well, not exactly :-) Only 5 months and 5 days :-) However, this specific
> > thread is only 9 days old. I had a few mails in january, february, etc.,
> > where I asked for help with the migration of an ancient server. Thank you
> > for your help with those questions, the migration was successful apart
> from
> > the mentioned "piling up" of POSIX ACLs, which I discovered 9 days ago.
>
> Quite correct, seems I cannot count LOL.
>
> >
> >
> >
> >> [quote]
> >> this "piling up" of ACL information doesn't happen either on a native
> >> Windows file server or with vfs_acl_xattr
> >> [/quote]
> >> Does this mean you do not have 'vfs objects = acl_xattr' in your
> smb.conf
> > ?
> >
> > Yes, it means that. I don't have vfs_acl_xattr enabled on our infamous
> > production server, however, I conducted some experiments on a server
> cloned
> > from it, where I enabled either vfs_acl_xattr or vfs_acl_tdb. I noticed
> > that SaMBa behaves differently in all three scenarios (1. no VFS backend,
> > 2. acl_xattr, 3. acl_tdb). This mail contains the details:
> > https://lists.samba.org/archive/samba/2023-June/245479.html Of the three
> > scenarios, vfs_acl_xattr (plus its option "ignore system acls = yes")
> seems
> > to be achieving the best results, permissions identical to that of native
> > Windows.
> >
>
> I think that is your problem, more later.
>
> >
> >
> >
> >> [quote]
> >> this may be the reason why using POSIX ACLs with SaMBa is deprecated
> >> [/quote]
> >> As far as I am aware, using POSIX ACLs isn't deprecated, is it possible
> >> you can tell us where you found that information ?
> >
> > OK, I probably misinterpreted or exaggerated two sentence from here:
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
> > The sentences are: "You are advised that a better option than POSIX draft
> > ACLs is to use Windows ACLs, this will allow you to set up fine-granular
> > ACLs." and "Linux however, ... here only deprecated POSIX draft ACLs
> exist."
>
> Yes, you were quite correct (again), it did say 'deprecated', the thing
> is they were never deprecated (well, not that I have ever found anything
> saying so). As far as I am aware, it was a draft and this was withdrawn,
> but too late, they were already in use and have continued to be used.
>
> >
> >
> >
> >
> >> It might also be a good idea if we could see your present smb.conf, so
> >> please post the output of 'testparm -s' (sanitised if must).
> >
> > OK, here is my smb.conf with most of the (very numerous) shares removed:
> > https://pastebin.com/xWASKir4
> >
> >
> >
> >> Now you can, with 'setfacl' add default permissions, are these what you
> >> are referring to as 'Posix ACLs' ?
> >
> > When using the phrase "default (POSIX) ACLs" in the mail
> > https://lists.samba.org/archive/samba/2023-June/245540.html I was
> referring
> > to the default ACLs created with the --default option of setfacl.
> >
> >
> >
> >> is Samba causing the problem, or to put it
> >> another way, if the share was on a Windows machine, would the ACL's get
> >> created differently ?
> >
> > Well, SaMBa with "vfs objects = acl_xattr" + "acl_xattr:ignore system
> acls
> > = yes" seems to create identical ACLs to those created by Windows, but
> when
> > relying on solely POSIX ACLs (running SaMBa on Linux / ext4), the ACLs
> > differ from the Windows ones quite a bit. I'm well aware that NFS4 ACLs
> > cannot converted to POSIX ACLs without a loss, but even despite this, I
> > wouldn't expect two phenomenons to occur to MS Word files edited by
> > multiple users on a SaMBa server using the configuration from the
> pastebin
> > link above. The two phenomenons (not happening on Windows or SaMBa +
> > "acl_xattr:ignore system acls = yes") are the following:
> >
> > 1. Piling up of UIDs of users who ever edited a DOCX file in the said
> > file's POSIX ACL. This doesn't happen on Windows. Only the owner changes
> > there when saving an Office document.
> > 2. UIDs and GIDs added to POSIX ACLs as both users and groups without
> > distinction.
> >
> >
>
> This is what I think is happening. Because you are not using
> vfs_acl_xattr, Samba is passing the permissions to the OS (without doing
> anything to them) and the OS is taking them verbatim and setting them.
> If you were to use vfs_acl_xattr, Samba sets the permissions based on
> what Windows says they are and then passes that to the OS. There is
> evidently a vast difference between the two.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>