[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Bailey Allison
ballison at 45drives.com
Wed Jan 31 14:45:59 UTC 2024
I'm wondering if I can get some validation on another solution I think works for this issue.
Here is my share configuration:
[samba]
map acl inherit = Yes
path = /mnt/cephfs/share
read only = No
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
Here are the share permissions:
root at ubuntugw1:~# ls -la /mnt/cephfs/share/
total 0
drwxrwx--- 2 ballison domain admins
When I go on Windows I see the following on the share:
Bailey Allison - Full Control
Domain Admins - Read Write & Execute
SYSTEM - Full Control
>From here, when I am logged in as my user (ballison) I can do whatever I want with permissions on the share that I please, because my user ballison has full control on the share.
Can someone else validate this/confirm this?
If I then go and change the permissions to root:domain admins, I then lose access to modify permissions. Though my account ballison is in the Domain Admins group, the group does not have full control and cannot modify permissions on the share.
I guess my observation here is why does the owner user pull Full Control from having 7 set, and the owner group pull Read Write & Execute from having 7 set?
For the configuration I am using ubuntu 20 with samba version 4.15.13 and using CephFS for the storage.
Regards,
Bailey
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of Peter
> Milesson via samba
> Sent: January 31, 2024 10:02 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Behavior of acl_xattr:ignore system acls = yes on a
> share
>
> Problem solved (I hope)!
>
> On 31.01.2024 12:40, Ralph Boehme via samba wrote:
> > On 1/31/24 12:02, Rowland Penny via samba wrote:
> >> Which looks correct to myself, so a bug ?
> > something to look into in more detail, ie logs and network traces. :)
> >
> > -slow
> Hi folks,
>
> I added the following parameter to the share definition in smb.conf:
>
> acl_xattr:default acl style = windows
>
> Now the share definition is:
>
> [Migrtest]
> path = /data/migrtest
> read only = no
> acl_xattr:ignore system acls = yes
> acl_xattr:default acl style = windows
>
> What I do now is the following:
>
> * Create the folder for the share
>
> * Set ownership root:"Domain Admins"
>
> * Set permissions on the folder 0777
>
> * Make sure the share is defined in smb.conf as above
>
> * smbcontrol smbd reload-config && smbcontrol winbind reload-config
>
> * Open Computer Management in Windows as a user with domain admin
> privileges
>
> * Connect to the Samba machine (not mentioning the quirky steps here...)
>
> * Click on the share that shows up and select Properties
>
> * Go to the Security tab
>
> * The security tab is blank at first, with information that you need
> read permissions to view the properties of this object.
>
> * Click Advanced
>
> * Change ownership to Domain Admins and mark Replace owner on
> subcontainers and objects (I don't know if this is necessary, at
> least it does not seem harmful)
>
> * A message pops up, that I do not have permissions to read the
> contents of directory bla, bla, bla. Click OK
>
> * Right click on the share and select refresh
>
> * Right click on the share again and select Properties
>
> * Go to the Security tab
>
> * Now, there should be one entry.
>
> * Add any security objects and permissions you want for the share
>
> * (I don't know if inheritance should be disabled, or not. Please
> advice if you have got useful information here).
>
> * Start using the share
>
> Seems to work well enough.
>
> Best regards,
>
> Peter
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list