[Samba] Dir ACL through windows and chmod

L.P.H. van Belle belle at bazuin.nl
Wed Apr 12 14:36:28 UTC 2017 

Hai, 

Mixing postix and windows acl works fine here. 

But for these shares you have to set : acl_xattr:ignore system acls = yes 
on the share, resulting in, windows ignores the underlaying posix rights, but my linux users do get the rights on the systems itselve.

Its a bit fiddeling around until you get it, but it does work here.
Now setting the other way around wont work, like posix rights on the share. ( your example ) 

Setup like as followed. 
Create the needed folder, set the needed posix rights on it. 
Mixing them together. Give "domain users" a gid. 
Set 2770 on the folder.

Now follow the wiki link Rowland send. 
On the windows share security, the default is ok. 
Windows folder security of the share.
And make sure you set "CREATOR GROUP" 

I use this on my www data folders. 
For example, system 1 generats the website. This is a system outside the windows domain and writes over nfsv3 to the webserver. 
The webserver does contain the wwwdata folder with a windows share. 

It shows like this :

( for the server that generates the sites.  ( debian wheezy ) 
ls -al /home/remote/webserver/www
-rwxr-xr-x+ 1 LINUX_USER_ON_SERVER1 LINUX_GROUP_ON_SERVER1  .. 

The acl on "www"
# file: www/
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:2000:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

Now the webserver is a samba AD domain join server. ( debian jessie )
I needed nfsv4 and kerberos on that server. 

ls -al /var/www/somefolder/
drwxr-sr-x+ 49 1001        2018 4096 Apr 11 10:38 www

# file: var/www/bazuin/www
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx                   #effective:r-x
group::r-x
group:root:r-x
group:2000:rwx                  #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:Win-AD-GROUP:rwx
default:mask::rwx
default:other::r-x

i looks messy because of unresolved uid/gid's 

drwxrwsr-x+  9 root Win-AD-GROUP 4096 Sep  6  2016 changes1
drwxr-xr-x+ 35 1001        2018 4096 Sep 22  2016 changes2

but it does work.


Just test a bit before you go into production with it. 

Systems used here in this setup. 
Samba 3.6.x => writes over nfs v3. ( sco unix) 
Samba 4.1.17 => writes over nfs v3 	( debian wheezy) ( was debian squeeze. ) 
Samba 4.5.8 AD DC. Does not write  ( debian jessie ) ( as of samba 4.1.x ) 
Samba 4.5.8 Webserver member AD.	( debian jessie ) writes from win pc.

Share : 
[mysecret-www-folder$]
    browseable = yes
    path = /var/www
    read only = no
    acl_xattr:ignore system acl = yes


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dmitry via samba
> Verzonden: woensdag 12 april 2017 14:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Dir ACL through windows and chmod
> 
> Thank you, but this did nothing. Users from group 'g02' can access
> folder '01'. But this folder has ACL set up only for group 'g01'
> 
> 
> > You could investigate using 'access based share enum = yes'
> >
> > and setting the permissions from Windows, see here:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > You will also need to remove these lines:
> >
> >      valid users = @"Domain Users" @"Domain Admins" @all
> >      admin users = admin @it
> > #    inherit acls = yes
> >      force create mode = 0777
> >      directory mask = 0770
> >      hide unreadable = yes
> >
> > Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list