[Samba] windows acls

Rowland Penny rpenny at samba.org
Tue Mar 28 18:57:14 UTC 2023 


On 28/03/2023 19:47, Peter Carlson via samba wrote:
> 
> On 3/28/23 11:22, Rowland Penny via samba wrote:
>>
>>
>> On 28/03/2023 18:43, Peter Carlson via samba wrote:
>>> bumping the log to 5, there are a few more lines right before 
>>> NT_STATUS_ACCESS_DENIED, could the EA error be a clue?
>>
>> I do not think so, that is what you are trying to create/set from 
>> Windows.
>>
>>>
>>> [2023/03/28 10:37:19.643508,  5] 
>>> ../../source3/smbd/vfs.c:1334(check_reduced_name)
>>>    check_reduced_name: . reduced to /data/test
>>> [2023/03/28 10:37:19.643539,  5] 
>>> ../../source3/smbd/dosmode.c:177(unix_mode)
>>>    unix_mode: unix_mode(.) returning 0666
>>> [2023/03/28 10:37:19.643605,  5] 
>>> ../../source3/smbd/dosmode.c:396(fget_ea_dos_attribute)
>>>    fget_ea_dos_attribute: Cannot get attribute from EA on file .: 
>>> Error = No data available
>>> [2023/03/28 10:37:19.643652,  4] 
>>> ../../source3/smbd/open.c:3808(open_file_ntcreate)
>>>    calling open_file with flags=0x0 flags2=0x800 mode=0666, 
>>> access_mask = 0x20080, open_access_mask = 0x20080
>>> [2023/03/28 10:37:19.643680,  5] 
>>> ../../source3/smbd/open.c:4427(open_directory)
>>>    open_directory: opening directory ., access_mask = 0x20080, 
>>> share_access = 0x7 create_options = 0x200000, create_disposition = 
>>> 0x1, file_attributes = 0x10
>>
>> I am running out of ideas, is a firewall blocking something ?
>> Have you tried logging into Windows as Administrator ?
>>
>> Rowland
>>
>>
> ok, I got something to work and found some differences.  I added a new 
> share, created a new folder and set the ACLs.  it works!
> 
> smb.conf is the same:
> 
> [Peter]
>      path = /data/peter
>      comment = test
>      read only = no
> 
> [Test]
>      path = /data/test
>      comment = test
>      read only = no
> 
> file directory shows a slight difference:
> 
> root at filesvr:/var/log/samba# ls -l /data
> drwxrwx---   2 root SDCP\domain admins    4096 Mar 28 11:11 peter
> drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test
> 
> do you happen to know what the + is at the end of the permissions?  I 
> can't find that in the docs.


It shows that posix acls are set (the ones shown by getfacl), if you 
want to see the ACL's set from Windows, in a readable way, try:

samba-tool ntacl get /data/test --as-sddl

Rowland

More information about the samba mailing list