[Samba] Behavior of acl_xattr:ignore system acls = yes on a share

Bailey Allison ballison at 45drives.com
Wed Jan 31 14:45:59 UTC 2024


I'm wondering if I can get some validation on another solution I think works for this issue.

Here is my share configuration:

[samba]
        map acl inherit = Yes
        path = /mnt/cephfs/share
        read only = No
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = yes

Here are the share permissions:

root at ubuntugw1:~# ls -la /mnt/cephfs/share/
total 0
drwxrwx---   2 ballison domain admins

When I go on Windows I see the following on the share:

Bailey Allison - Full Control

Domain Admins - Read Write & Execute

SYSTEM - Full Control

>From here, when I am logged in as my user (ballison) I can do whatever I want with permissions on the share that I please, because my user ballison has full control on the share.

Can someone else validate this/confirm this?

If I then go and change the permissions to root:domain admins, I then lose access to modify permissions. Though my account ballison is in the Domain Admins group, the group does not have full control and cannot modify permissions on the share.

I guess my observation here is why does the owner user pull Full Control from having 7 set, and the owner group pull Read Write & Execute from having 7 set?

For the configuration I am using ubuntu 20 with samba version 4.15.13 and using CephFS for the storage.

Regards,

Bailey

> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of Peter
> Milesson via samba
> Sent: January 31, 2024 10:02 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Behavior of acl_xattr:ignore system acls = yes on a
> share
> 
> Problem solved (I hope)!
> 
> On 31.01.2024 12:40, Ralph Boehme via samba wrote:
> > On 1/31/24 12:02, Rowland Penny via samba wrote:
> >> Which looks correct to myself, so a bug ?
> > something to look into in more detail, ie logs and network traces. :)
> >
> > -slow
> Hi folks,
> 
> I added the following parameter to the share definition in smb.conf:
> 
> acl_xattr:default acl style = windows
> 
> Now the share definition is:
> 
> [Migrtest]
>          path = /data/migrtest
>          read only = no
>          acl_xattr:ignore system acls = yes
>          acl_xattr:default acl style = windows
> 
> What I do now is the following:
> 
>   * Create the folder for the share
> 
>   * Set ownership root:"Domain Admins"
> 
>   * Set permissions on the folder 0777
> 
>   * Make sure the share is defined in smb.conf as above
> 
>   * smbcontrol smbd reload-config && smbcontrol winbind reload-config
> 
>   * Open Computer Management in Windows as a user with domain admin
>     privileges
> 
>   * Connect to the Samba machine (not mentioning the quirky steps here...)
> 
>   * Click on the share that shows up and select Properties
> 
>   * Go to the Security tab
> 
>   * The security tab is blank at first, with information that you need
>     read permissions to view the properties of this object.
> 
>   * Click Advanced
> 
>   * Change ownership to Domain Admins and mark Replace owner on
>     subcontainers and objects (I don't know if this is necessary, at
>     least it does not seem harmful)
> 
>   * A message pops up, that I do not have permissions to read the
>     contents of directory bla, bla, bla. Click OK
> 
>   * Right click on the share and select refresh
> 
>   * Right click on the share again and select Properties
> 
>   * Go to the Security tab
> 
>   * Now, there should be one entry.
> 
>   * Add any security objects and permissions you want for the share
> 
>   * (I don't know if inheritance should be disabled, or not. Please
>     advice if you have got useful information here).
> 
>   * Start using the share
> 
> Seems to work well enough.
> 
> Best regards,
> 
> Peter
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list