about "ea support" parameter

Rowland penny rpenny at samba.org
Thu Nov 26 14:41:12 UTC 2020 

On 26/11/2020 13:56, Ralph Boehme wrote:
> Am 11/26/20 um 2:38 PM schrieb Rowland penny via samba-technical:
>> On 26/11/2020 12:31, Leo Fan via samba-technical wrote:
>>> Hi Ralph,
>>>
>>> Thanks for your quick response!
>>>
>>> Glad to know both Windows and MAC apps make heave use of streams but 
>>> not EAs, I am more confident that we can disable EA support.
>>> Both Data streams and EAs are used to store extra (meta)data of 
>>> files/directories.
>>> I am curious which kind of applications would use EA.
>>>
>> I am not confident you can disable EA support. Why do you think the 
>> default was set to 'yes' ? Could it have anything to do with an EA is 
>> where the Windows ACLs are stored by Samba ?
>
> yes. But see my initial mail.
>
>>
>> If you set the permissions from Windows, the ACES etc are stored in 
>> an EA, ergo, if you are using Windows, you really need EAs.
>
> no. See my initial mail. :)
>
> -slow
>
Are you sure about that ?

Running 'ls' against 'sysvol' gets this:

root at dc4:~# ls -lad /var/lib/samba/sysvol/
drwxrws---+ 3 3000000 3000027 4096 Jul 22  2018 /var/lib/samba/sysvol/

Which shows that there are xattrs:

root at dc4:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: 3000000 # S-1-5-32-544 # BUILTIN_ADMINISTRATORS
# group: 3000027 # S-1-5-18 # SYSTEM
# flags: -s-
user::rwx
user:3000007:r-x # S-1-5-11 # AUTHENTICATED_USERS
user:3000026:r-x # S-1-5-32-549 # SERVER_OPERATORS
user:3000027:rwx # S-1-5-18 # SYSTEM
group::rwx
group:3000000:rwx # S-1-5-32-544 # BUILTIN_ADMINISTRATORS
group:3000007:r-x # S-1-5-11 # AUTHENTICATED_USERS
group:3000026:r-x # S-1-5-32-549 # SERVER_OPERATORS
group:3000027:rwx # S-1-5-18 # SYSTEM
mask::rwx
other::---
default:user::rwx
default:user:3000000:rwx # S-1-5-32-544 # BUILTIN_ADMINISTRATORS
default:user:3000007:r-x # S-1-5-11 # AUTHENTICATED_USERS
default:user:3000026:r-x # S-1-5-32-549 # SERVER_OPERATORS
default:user:3000027:rwx # S-1-5-18 # SYSTEM
default:group::---
default:group:3000000:rwx # S-1-5-32-544 # BUILTIN_ADMINISTRATORS
default:group:3000007:r-x # S-1-5-11 # AUTHENTICATED_USERS
default:group:3000026:r-x # S-1-5-32-549 # SERVER_OPERATORS
default:group:3000027:rwx # S-1-5-18 # SYSTEM
default:mask::rwx
default:other::---

Note I annotated who the 'numbers' are

But if I look at the EA:

root at dc4:~# samba-tool ntacl get /var/lib/samba/sysvol/ --as-sddl
O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f03ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)

It is much finer grained on the permissions AND there is another 'owner' 
that getfacl doesn't show 'CO' 'CREATOR_OWNER'.

You might think that you can get away with not using EAs, but I think 
differently, so I suppose we will have to agree to disagree 😁

Rowland

More information about the samba-technical mailing list