[Samba] Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
Dale
samba at txschroeder.family
Mon Dec 10 19:33:12 UTC 2018
Edouard,
No, that won't work for you. "inherit acls" is intended for posix ACL's.
Since you are using Windows ACL's, try setting the
permissions/inheritance you want from a Windows system.
Dale
On 12/10/18 12:40 PM, Edouard Guigné wrote:
>
> Hello Dale,
>
> Set inherit acls = yes locally to my share groups, and remove map acl
> inherit = yes from global parameters of smb.conf does not solve my issue.
> I still have acl "Domain Users" added to new folders/files.
>
> As i write in my previous email, the only way i found to disable acl
> "Domain Users" to be added was with :
> inherit owner = yes
>
> With some disavantages for users (not see the ownership of a file, etc.)
>
> I do not know where I can looking for...
>
> Edouard
>
> -------- Message transféré --------
> Sujet : Re: [Samba] Fwd: Extended acls with AD - problem with
> default/herited permissions
> Date : Mon, 10 Dec 2018 15:29:42 -0300
> De : Edouard Guigné <eguigne at pasteur-cayenne.fr>
> Pour : Dale <samba at txschroeder.family>
> Copie à : samba at lists.samba.org
>
>
>
> Hello Dale,
>
> I set map acl inherit = yes in global parameters of smb.conf
> and set inherit owner = yes locally to my share "groups" of smb.conf
>
> I have followed the wiki
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> It is indicated :
> "To configure shares using extended access control lists (ACL), you
> must enable the support in the |smb.conf| file. To enable extended ACL
> support globally, add the following settings to the |[global]| section
> of your |smb.conf| file:
>
> vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes"
>
> Do you mean I should try to add :
> inherit acls = yes locally to my share "groups" ?
>
> Should I remove map acl inherit = yes from global parameters of smb.conf ?
>
>
> Edouard
>
> Le 10/12/2018 à 14:58, Dale a écrit :
>> Edouard,
>>
>> These are the 4 available parameters containing the word "inherit".
>>
>> inherit acls (S)
>> inherit owner (S)
>> inherit permissions (S)
>> map acl inherit (S)
>>
>>
>> Would "inherit acls" work for you?
>>
>> Dale
>>
>>
>> On 12/10/18 10:56 AM, Edouard Guigné via samba wrote:
>>> Hello,
>>>
>>> I add to my previous mail, the only way i found to disable acl
>>> "Domain Users" to be added is with :
>>>
>>> */inherit owner = yes/*
>>>
>>> This has the advantage to recopy exactly the default acl defined on
>>> the parent folder.
>>> But this has the disavantage to not show which user has created a
>>> folder/file and the ownership.
>>>
>>> Does something like "inherit group owner = yes" exist ?
>>> chmod g+s has no effect on my configuration.
>>>
>>> Best Regards,
>>>
>>> EdG
>>>
>>>
>>>
>>> -------- Message transféré --------
>>> Sujet : Extended acls with AD - problem with default/herited
>>> permissions
>>> Date : Mon, 10 Dec 2018 10:47:20 -0300
>>> De : Edouard Guigné <eguigne at pasteur-cayenne.fr>
>>> Pour : samba at lists.samba.org
>>>
>>>
>>>
>>> Hello,
>>>
>>> I set a share on a samba 4.7.1 as domain member with an Active
>>> Directory controler, this share is used by all domain users.
>>>
>>> All users from the AD domain have a primary group "Domain Users",
>>> and secondary groups to filter access on the folders of the share.
>>> I noticed that when a user create a sub-folder/file inside a "Top
>>> folder", the default permissions from the "Top folder" are well
>>> herited, but the acl "Domain Users" is always added.
>>>
>>> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about
>>> this.
>>> So I made a test with "acl_xattr:ignore system acls = yes" in my
>>> smb.conf ; but it seems to disable extended acl to some folders...
>>> This is not a solution.
>>>
>>> I tried also chmod g+s on "Top folders", but other acl "Domain
>>> Users" is still added.
>>>
>>> I think something is bad in my smb.cfg, below is the result of
>>> testparm :
>>>
>>> # Global parameters
>>> [global]
>>> client max protocol = SMB3
>>> client min protocol = SMB2
>>> client signing = required
>>> disable spoolss = Yes
>>> domain master = No
>>> kerberos method = secrets and keytab
>>> load printers = No
>>> local master = No
>>> log file = /var/log/samba/%m.log
>>> name resolve order = wins bcast host lmhosts
>>> preferred master = No
>>> printcap name = /dev/null
>>> realm = IPGAD.PASTEUR-CAYENNE.FR
>>> security = ADS
>>> server signing = required
>>> winbind nss info = rfc2307
>>> workgroup = IPGAD
>>> idmap config ipgad : unix_primary_group = yes
>>> idmap config ipgad : unix_nss_info = yes
>>> idmap config ipgad : range = 1-14999
>>> idmap config ipgad : schema_mode = rfc2307
>>> idmap config ipgad : backend = ad
>>> idmap config * : range = 15000-99999
>>> idmap config * : backend = tdb
>>> cups options = raw
>>> hosts allow = 127. 10.9.8.
>>> hosts deny = 10.9.9.
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>> use sendfile = Yes
>>> vfs objects = acl_xattr
>>>
>>>
>>> [groups]
>>> comment = jaguar2
>>> path = /var/datashared
>>> read only = No
>>> valid users = "@utilisateurs du
>>> domaine at IPGAD.PASTEUR-CAYENNE.FR"
>>> vfs objects = acl_xattr streams_xattr shadow_copy2
>>> shadow:format = daily_%Y.%m.%d-%H.%M.%S
>>> shadow:localtime = yes
>>> shadow:sort = desc
>>> shadow:basedir = /var/datashared
>>> shadow:snapdir = /data/datashared/snapshots
>>>
>>>
>>> [homes]
>>> browseable = No
>>> comment = Home Directories
>>> create mask = 0700
>>> directory mask = 0700
>>> hide files = /~*.tmp/profile/desktop.ini/~$*/
>>> path = /home
>>> read only = No
>>> valid users = "@utilisateurs du
>>> domaine at IPGAD.PASTEUR-CAYENNE.FR"
>>>
>>> May you help me to understand/solve the situation ?
>>>
>>> EdG
>>>
>>
>>
More information about the samba
mailing list