vfs_acl_xattr

[Rowland Penny]

On Tue, 31 Jul 2018 19:20:32 +0100
Rowland Penny via samba-technical <samba-technical at lists.samba.org>
wrote:

> On Tue, 31 Jul 2018 20:08:47 +0200
> Ralph Böhme <slow at samba.org> wrote:
> 
> > On Tue, Jul 31, 2018 at 08:58:19AM +0100, Rowland Penny via
> > samba-technical wrote:
> > >Has anybody got any idea how to make 'samba-tool ntacl set' ignore
> > >the system ACL's if 'acl_xattr:ignore system acls = yes' is set ?
> > 
> > hm, I guess samba-tool ntacl set bypasses the VFS stack.
> > 
> > -slow
> > 
> 
> I sort of thought something along those lines, so how do we make
> samba-tool ntacl set swerve into the VFS stack ???
> 
> Rowland
> samba-tool ntacl set

OK, I created a new directory called 'SYSVOL' and moved 'sysvol' and
its contents to the new dir, changed the ownership of 'SYSVOL' and
'sysvol' to 'BUILTIN\Administrators:SYSTEM', removed all but the Unix
acl's from both dirs. I then tried to set the EA with:

samba-tool ntacl set
'O:BAG:SYD:PAI(A;OICIIO;WDWOGXGWGR;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f03ff;;;SY)(A;OICIIO;WDWOGXGWGR;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x001200a9;;;SO)' /usr/local/samba/var/locks/SYSVOL/sysvol

If I read back the EA with:
samba-tool ntacl get /usr/local/samba/var/locks/SYSVOL/sysvol --as-sddl

I get:

'O:LAG:BAD:(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001200a9;;;AU)(A;OICI;;;;WD)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)'

No matter what I do, the EA is always owned by 'O:LAG:BA'

Is there any other way to set the ACL's that actually does what the
user wants ?

Rowland