samba4 sysvol permissions?

[Matthieu Patou]

Hi Jeff,
On 22/09/2011 15:14, Jeff Sadowski wrote:
> In windows there are two places for permissions. The share permissions
> and the permissions of the directory itself. I was looking at the
> documentation but didn't see anything in samba4 docs except about
> setting the user_xattr flag which I did. Do I use xattr properties
> against "windows domain" groups and users? on each directory?
I'm not sure I got you right.

In Samba4 (and samba 3.x with the xattr_acl module) we store NT acls as 
extended attributes (security.ntacls). You can dump it with getfattr -d 
-m "" <myfile>.
The best way to set ACLs for the moment is to do them in windows.

Once you've defined the acls as you want you can use samba-tool to 
affect acls on other files, you just have to specify the sddl of your 
acls, for instance:


./bin/samba-tool ntacl set 
O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)  
/tmp/p/sysvol/mydir

Will set the NTACL for this folder to 
O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU).

You can have more information about SDDL at 
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379567%28v=vs.85%29.aspx


The best way to get a SDDL is to dump it on a folder/file where you know 
that you have set it the way you want.
For instance:
./bin/samba-tool ntacl get --as-sddl /tmp/p/sysvol

Will output
O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

Trying without the --sddl will output something more user readable but 
it can't be reused.

Hope it makes (more) sense.

-- 
Matthieu Patou
Samba Team
http://samba.org