[Samba] Setting up Profiles share... 777?!
Rowland Penny
rpenny at samba.org
Tue Nov 28 19:17:29 UTC 2023
On Tue, 28 Nov 2023 16:00:22 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> In a fresh samba AD domain i'm setting up the 'Profiles' share for
> roaming profiles, following the wiki:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> leading to:
>
> [profiles]
> comment = Network Profiles Share
> csc policy = disable
> map acl inherit = Yes
> path = /srv/samba/profiles
> read only = No
> vfs objects = acl_xattr
> acl_xattr:default acl style = windows
> acl_xattr:ignore system acls = yes
Why have you added those two last lines ?
>
> But failing to create profiles for users; after fiddling a bit, i was
> forced to have '/srv/samba/profiles' as 775 :unixadm (a group member
> of 'Domain Aministrators') and profile folders get created '777':
>
> root at vdmacpn1:~# ls -la /srv/samba/profiles/
> totale 16
> drwxrwxr-x 7 gaio unixadm 92 28 nov 15.49 .
> drwxrwxr-x 5 root root 54 2 nov 19.24 ..
> drwxrwxrwx 2 daniela segreteria 6 4 nov 10.57 daniela.V2
> drwxrwxrwx 16 daniela segreteria 281 25 nov 11.59 daniela.V6
> drwxrwxrwx 15 gaio domain users 272 28 nov 15.49 gaio.V2
> drwxrwxrwx 15 gaio sa 4096 28 nov 14.47 gaio.V2.good
> drwxrwxrwx 17 gaio sa 4096 4 nov 11.57 gaio.V6
>
> This seems a little strange and dangerous to me.
>
>
> What i'm missing?! Thanks.
Well, because you have added this line:
acl_xattr:ignore system acls = yes
It does exactly what it says, Samba ignores the Unix attrs, the 'ugo'
ones (rwx), so what have you set from Windows ?
You can read these on Linux with:
sudo samba-tool ntacl get /srv/samba/profiles --as-sddl
Rowland
More information about the samba
mailing list