Rowland Penny rpenny at samba.org
Tue Jul 31 12:53:57 UTC 2018

On Tue, 31 Jul 2018 13:42:41 +0100
"Miguel medalha" <medalist at sapo.pt> wrote:

> >> Yes, the code shows that if "ignore_system_acls = yes" then
> >> validate_nt_acl_blob() merely returns the security.NTACL
> >> blob read from the filesystem and ignore the underlying
> >> filesystem ACL store (be it POSIX or anything else).
> > Oh good, I hoped that was the case, well it doesn't.
> > If I create a dir, chmod 0777, chown root:BUILTIN\Administrators,
> > then check with 'ls' I get back what I expect 'drwxrwxrwx' (note
> > the lack of '+' that denotes further ACL's are set)
> > If I then use 'samba-tool ntacl set' to set 'security.NTACL' on the
> > dir using a sddl that starts 'O:BAG:SYD:PAI(', when I check it with
> > 'samba-tool ntacl get', I get back a totally different sddl which
> > starts 'O:LAG:BAD:('. Also the directory permissions has sprouted a
> > '+' on the end and there are multiple ACL's shown by getfacl. The
> > share has 'acl_xattr:ignore system acls = yes' set.
> > I am sure somebody is going to say that I am not setting them
> > through Samba, I am setting them on the OS, but this needs to be
> > fixed because it explains why sysvolcheck keeps throwing an error.
> > Has anybody got any idea how to make 'samba-tool ntacl set' ignore
> > the system ACL's if 'acl_xattr:ignore system acls = yes' is set ?
> There's another setting influencing this behavior. From "man
> vfs_acl_xattr" (Samba 4.8.3):
> «
> acl_xattr:default acl style = [posix|windows|everyone]
>            This parameter determines the type of ACL that is
> synthesized in case a file or directory lacks an security.NTACL xattr.
>            When set to posix, an ACL will be synthesized based on the
> POSIX mode permissions for user, group and others, with an additional
>            for NT Authority\SYSTEM will full rights.
>            When set to windows, an ACL is synthesized the same way
> Windows does it, only including permissions for the owner and NT
>            Authority\SYSTEM.
>            When set to everyone, an ACL is synthesized giving full
> permissions
>            to everyone (S-1-1-0).
>            The default for this option is posix.
> »

do you mean as in:

    path = /usr/local/samba/var/locks/sysvol
    read only = no
    acl_xattr:ignore system acls = yes
    acl_xattr:default acl style = windows

    path = /usr/local/samba/var/locks/sysvol/samdom.example.com/scripts
    read only = no
    acl_xattr:ignore system acls = yes
    acl_xattr:default acl style = windows

Yes, as you can see, I tried that, it didn't make any difference ;-)

As I said, at least it explains why sysvolcheck doesn't work.


More information about the samba-technical mailing list