vfs_acl_xattr

Miguel medalha medalist at sapo.pt
Tue Jul 31 12:42:41 UTC 2018 

>> Yes, the code shows that if "ignore_system_acls = yes" then
>> validate_nt_acl_blob() merely returns the security.NTACL
>> blob read from the filesystem and ignore the underlying
>> filesystem ACL store (be it POSIX or anything else).

> Oh good, I hoped that was the case, well it doesn't.

> If I create a dir, chmod 0777, chown root:BUILTIN\Administrators, then
> check with 'ls' I get back what I expect 'drwxrwxrwx' (note the lack of
> '+' that denotes further ACL's are set)

> If I then use 'samba-tool ntacl set' to set 'security.NTACL' on the dir
> using a sddl that starts 'O:BAG:SYD:PAI(', when I check it with
> 'samba-tool ntacl get', I get back a totally different sddl which
> starts 'O:LAG:BAD:('. Also the directory permissions has sprouted a '+'
> on the end and there are multiple ACL's shown by getfacl. The share has
> 'acl_xattr:ignore system acls = yes' set.

> I am sure somebody is going to say that I am not setting them through
> Samba, I am setting them on the OS, but this needs to be fixed because
> it explains why sysvolcheck keeps throwing an error.

> Has anybody got any idea how to make 'samba-tool ntacl set' ignore the
> system ACL's if 'acl_xattr:ignore system acls = yes' is set ?

There's another setting influencing this behavior. From "man vfs_acl_xattr"
(Samba 4.8.3):


«
acl_xattr:default acl style = [posix|windows|everyone]
           This parameter determines the type of ACL that is synthesized in
           case a file or directory lacks an security.NTACL xattr.

           When set to posix, an ACL will be synthesized based on the POSIX
           mode permissions for user, group and others, with an additional
ACE
           for NT Authority\SYSTEM will full rights.

           When set to windows, an ACL is synthesized the same way Windows
           does it, only including permissions for the owner and NT
           Authority\SYSTEM.

           When set to everyone, an ACL is synthesized giving full
permissions
           to everyone (S-1-1-0).

           The default for this option is posix.
»

More information about the samba-technical mailing list