[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Peter Milesson
miles at atmos.eu
Wed Jan 31 13:17:37 UTC 2024
Hi Sebastian,
The problem in the first place is, that acl_xattr:ignore system acls =
yes does not work as expected. If I create the share according to Ralph
Böhme's recommendation, there is no security.NTACL created at all, and I
can not change any security objects for the share. If I create and use
the share without acl_xattr:ignore system acls = yes, then I get the
security.NTACL. But then the share is only later usable WITHOUT the
acl_xattr:ignore system acls = yes parameter set. If I use this
parameter after setting up the share, then the permissions are set
permanently for all sub folders and files. Even if I edit permissions
for a sub folder, or a file, what's defined in the root share security
settings apply, even if it does not look that way when examining file
properties.
Of course, I could skip the whole acl_xattr:ignore system acls = yes
stuff and get a fairly well working share, but now there definitely
seems to be a problem using this parameter, and the problems should be
resolved. Either there is a bug in Samba or, there is something fishy in
my setup.
As you can se from my configuration information, I use Debian Bookworm
with Samba from backports. All necessary prerequisites are included here.
Best regards,
Peter
On 31.01.2024 13:25, Sebastian Neustein via samba wrote:
> Does you filesystem support extended attributes? What does "|getfattr -n
> security.NTACL |filename" return?||
>
> On 30.01.2024 16:13, Peter Milesson wrote:
>> Hi folks,
>>
>> It seems that the setting acl_xattr:ignore system acls = yes reduces
>> Windows compatibility when defined for a share. In all attempts I have
>> used Windows tools (except editing smb.conf)
>>
>> Assume there is a share, where the files and folders in the share root
>> should at least be readable by anybody having access to the share. For
>> the sake of simplicity the following permissions apply on the share:
>>
>> Inheritance disabled
>> Owner: root (Unix User\root)
>> Domain Admins: full control (this folder, subfolder and files)
>> Testgroup: read & execute (this folder, subfolder and files)
>> System: full control (this folder, subfolder and files)
>> creator owner: (this folder, subfolder and files)
>>
>> I want however, to set ownership and access permissions for different
>> groups to different sub folders. So with acl_xattr:ignore system acls
>> = yes I create the sub folder Testfolder, set testgroup as owner, and
>> disabling inheritance. When checking the permissions on the folder
>> with getfacl I get:
>>
>> # file: Testfolder
>> # owner: testgroup
>> # group: domain\040admins
>> user::rwx
>> user:root:rwx
>> user:domain\040admins:rwx
>> user:testgroup:r-x
>> group::r-x
>> group:NT\040Authority\\system:rwx
>> group:domain\040admins:rwx
>> group:testgroup:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:domain\040admins:rwx
>> default:user:testgroup:r-x
>> default:group::r-x
>> default:group:NT\040Authority\\system:rwx
>> default:group:domain\040admins:rwx
>> default:group:testgroup:r-x
>> default:mask::rwx
>> default:other::---
>>
>> WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and
>> again setting testgroup as owner, and disabling inheritance. The
>> resulting getfacl is:
>>
>> # file: Testfolder2
>> # owner: testgroup
>> # group: domain\040admins
>> user::rwx
>> user:domain\040admins:rwx
>> group::rwx
>> group:NT\040Authority\\system:rwx
>> group:domain\040admins:rwx
>> group:testgroup:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:domain\040admins:rwx
>> default:user:testgroup:rwx
>> default:group::---
>> default:group:NT\040Authority\\system:rwx
>> default:group:domain\040admins:rwx
>> default:group:testgroup:rwx
>> default:mask::rwx
>> default:other::---
>>
>> In the first case (with acl_xattr:ignore system acls = yes), I get
>> access denied when trying to create anything whatsoever as a user
>> belonging to the testgroup. In the second case, no problem at all to
>> create files and folders for the user belonging to the testgroup.
>>
>> According to the documentation acl_xattr:ignore system acls = yes
>> should increase compatibility with Windows. IMHO, it does the
>> opposite. On my Windows server I have got no problems at all to define
>> a set of permissions for the share, and then tweaking sub folders to
>> what I need.
>>
>> Either I have completely misunderstood the concept, or there is
>> something not working as it should.
>>
>> I would be very happy to get some explanations.
>>
>> Member server Debian Bookworm with Samba from backports (4.19.4)
>>
>> smb.conf below.
>>
>> Best regards,
>>
>> Peter
>>
>>
>> [global]
>> security = ADS
>> server role = member server
>> realm = PRIVATE.TALPS
>> workgroup = PRIVATE
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> log level = 1
>> disable spoolss = Yes
>> printcap name = /dev/null
>> template homedir = /home/%U
>> template shell = /bin/bash
>> timestamp logs = Yes
>> username map = /etc/samba/user.map
>> min domain uid = 0
>> # winbind enum groups = Yes
>> # winbind enum users = Yes
>> winbind expand groups = 4
>> # winbind offline logon = Yes
>> winbind refresh tickets = Yes
>> winbind use default domain = Yes
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-9999
>> idmap config private : backend = rid
>> idmap config private : range = 10000-99999
>> map acl inherit = Yes
>> inherit acls = yes
>> apply group policies = yes
>> vfs objects = acl_xattr
>>
>> [Migrtest]
>> path = /data/migrtest
>> read only = no
>> acl_xattr:ignore system acls = yes
>>
>>
>>
>>
>
> --
> Sebastian Neustein
>
> Airport Research Center GmbH
> Bismarckstraße 61
> 52066 Aachen
> Germany
>
> Phone: +49 241 16843-23
> Fax: +49 241 16843-19
> e-mail:sebastian.neustein at arc-aachen.de
> Website:http://www.airport-consultants.com
>
> Register Court: Amtsgericht Aachen HRB 7313
> Ust-Id-No.: DE196450052
>
> Managing Director:
> Dipl.-Ing. Tom Alexander Heuer
More information about the samba
mailing list