[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Peter Milesson
miles at atmos.eu
Wed Jan 31 08:13:38 UTC 2024
Hi folks,
No, it does not work. Sorry for the noise. See below.
On 31.01.2024 8:51, Peter Milesson via samba wrote:
> Hi folks,
>
> Thanks everybody for your information.
>
> I have continued my testing and have got the following to report:
>
> Setting up the share with either root:"Domain Admins", or
> "Administrator":"Domain Admins" as owner, while setting permissions on
> the share folder to 0777 from the start, and acl_xattr:ignore system
> acls = yes on the share definition in smb.conf (I did not forget to
> restart smbd and winbind)
>
> Then in Windows Computer management/Security I get the following list:
> Owner: (root or Administrator)
>
> root (or Administrator) Full Control This folder only
> Domain Admins Read, write & execute This folder only
> Everyone Read, write & execute This folder only
> SYSTEM Full Control This folder only
>
> Any change I make to the list ends with the error message "Failed to
> enumerate objects in the container. Access is denied" after clicking OK.
>
> If I first make the basic setup of the share to my liking, without
> having acl_xattr:ignore system acls = yes active, and then reload smbd
> with acl_xattr:ignore system acls = yes, it seems to work.
>
> It does not seem important whether the linux permissions on the share
> folder are 0770 or 0777, or linux owner on the share folder being root
> or Administrator when setting it up. I have not investigated if the
> folder permissions are important for the share later on.
>
> Best regards,
>
> Peter
>
>
Permissions set under Windows are not honored completely. As a user with
administrative privileges, I set a sub folder in the share to full
control for a group (even tried to change ownership). Then logging in to
Windows as a user belonging to that group, opening the share, and trying
to add something in that sub folder. It results in access denied.
I will continue to dig into this. Something is not working, or not
working according to documentation with ignore system acls = yes.
Best regards,
Peter
More information about the samba
mailing list