[Samba] Fwd: Re: Fwd: Extended acls with AD - problem with default/herited permissions
Edouard Guigné
eguigne at pasteur-cayenne.fr
Tue Dec 11 15:42:03 UTC 2018
Hello Dale,
Thank you, I set permissions/inheritance from a windows system, and now
acl "Domain Users" are set to --- by default.
With your help, I succeed to resolve my issue, and furthermore I can now
see and correct some errors on the acls on the share.
Many thanks,
Edouard
Le 10/12/2018 à 16:33, Dale a écrit :
> Edouard,
>
> No, that won't work for you. "inherit acls" is intended for posix ACL's.
>
> Since you are using Windows ACL's, try setting the
> permissions/inheritance you want from a Windows system.
>
> Dale
>
>
> On 12/10/18 12:40 PM, Edouard Guigné wrote:
>>
>> Hello Dale,
>>
>> Set inherit acls = yes locally to my share groups, and remove map acl
>> inherit = yes from global parameters of smb.conf does not solve my issue.
>> I still have acl "Domain Users" added to new folders/files.
>>
>> As i write in my previous email, the only way i found to disable acl
>> "Domain Users" to be added was with :
>> inherit owner = yes
>>
>> With some disavantages for users (not see the ownership of a file, etc.)
>>
>> I do not know where I can looking for...
>>
>> Edouard
>>
>> -------- Message transféré --------
>> Sujet : Re: [Samba] Fwd: Extended acls with AD - problem with
>> default/herited permissions
>> Date : Mon, 10 Dec 2018 15:29:42 -0300
>> De : Edouard Guigné <eguigne at pasteur-cayenne.fr>
>> Pour : Dale <samba at txschroeder.family>
>> Copie à : samba at lists.samba.org
>>
>>
>>
>> Hello Dale,
>>
>> I set map acl inherit = yes in global parameters of smb.conf
>> and set inherit owner = yes locally to my share "groups" of smb.conf
>>
>> I have followed the wiki
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> It is indicated :
>> "To configure shares using extended access control lists (ACL), you
>> must enable the support in the |smb.conf| file. To enable extended
>> ACL support globally, add the following settings to the |[global]|
>> section of your |smb.conf| file:
>>
>> vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes"
>>
>> Do you mean I should try to add :
>> inherit acls = yes locally to my share "groups" ?
>>
>> Should I remove map acl inherit = yes from global parameters of
>> smb.conf ?
>>
>>
>> Edouard
>>
>> Le 10/12/2018 à 14:58, Dale a écrit :
>>> Edouard,
>>>
>>> These are the 4 available parameters containing the word "inherit".
>>>
>>> inherit acls (S)
>>> inherit owner (S)
>>> inherit permissions (S)
>>> map acl inherit (S)
>>>
>>>
>>> Would "inherit acls" work for you?
>>>
>>> Dale
>>>
>>>
>>> On 12/10/18 10:56 AM, Edouard Guigné via samba wrote:
>>>> Hello,
>>>>
>>>> I add to my previous mail, the only way i found to disable acl
>>>> "Domain Users" to be added is with :
>>>>
>>>> */inherit owner = yes/*
>>>>
>>>> This has the advantage to recopy exactly the default acl defined on
>>>> the parent folder.
>>>> But this has the disavantage to not show which user has created a
>>>> folder/file and the ownership.
>>>>
>>>> Does something like "inherit group owner = yes" exist ?
>>>> chmod g+s has no effect on my configuration.
>>>>
>>>> Best Regards,
>>>>
>>>> EdG
>>>>
>>>>
>>>>
>>>> -------- Message transféré --------
>>>> Sujet : Extended acls with AD - problem with default/herited
>>>> permissions
>>>> Date : Mon, 10 Dec 2018 10:47:20 -0300
>>>> De : Edouard Guigné <eguigne at pasteur-cayenne.fr>
>>>> Pour : samba at lists.samba.org
>>>>
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I set a share on a samba 4.7.1 as domain member with an Active
>>>> Directory controler, this share is used by all domain users.
>>>>
>>>> All users from the AD domain have a primary group "Domain Users",
>>>> and secondary groups to filter access on the folders of the share.
>>>> I noticed that when a user create a sub-folder/file inside a "Top
>>>> folder", the default permissions from the "Top folder" are well
>>>> herited, but the acl "Domain Users" is always added.
>>>>
>>>> I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about
>>>> this.
>>>> So I made a test with "acl_xattr:ignore system acls = yes" in my
>>>> smb.conf ; but it seems to disable extended acl to some folders...
>>>> This is not a solution.
>>>>
>>>> I tried also chmod g+s on "Top folders", but other acl "Domain
>>>> Users" is still added.
>>>>
>>>> I think something is bad in my smb.cfg, below is the result of
>>>> testparm :
>>>>
>>>> # Global parameters
>>>> [global]
>>>> client max protocol = SMB3
>>>> client min protocol = SMB2
>>>> client signing = required
>>>> disable spoolss = Yes
>>>> domain master = No
>>>> kerberos method = secrets and keytab
>>>> load printers = No
>>>> local master = No
>>>> log file = /var/log/samba/%m.log
>>>> name resolve order = wins bcast host lmhosts
>>>> preferred master = No
>>>> printcap name = /dev/null
>>>> realm = IPGAD.PASTEUR-CAYENNE.FR
>>>> security = ADS
>>>> server signing = required
>>>> winbind nss info = rfc2307
>>>> workgroup = IPGAD
>>>> idmap config ipgad : unix_primary_group = yes
>>>> idmap config ipgad : unix_nss_info = yes
>>>> idmap config ipgad : range = 1-14999
>>>> idmap config ipgad : schema_mode = rfc2307
>>>> idmap config ipgad : backend = ad
>>>> idmap config * : range = 15000-99999
>>>> idmap config * : backend = tdb
>>>> cups options = raw
>>>> hosts allow = 127. 10.9.8.
>>>> hosts deny = 10.9.9.
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>> use sendfile = Yes
>>>> vfs objects = acl_xattr
>>>>
>>>>
>>>> [groups]
>>>> comment = jaguar2
>>>> path = /var/datashared
>>>> read only = No
>>>> valid users = "@utilisateurs du
>>>> domaine at IPGAD.PASTEUR-CAYENNE.FR"
>>>> vfs objects = acl_xattr streams_xattr shadow_copy2
>>>> shadow:format = daily_%Y.%m.%d-%H.%M.%S
>>>> shadow:localtime = yes
>>>> shadow:sort = desc
>>>> shadow:basedir = /var/datashared
>>>> shadow:snapdir = /data/datashared/snapshots
>>>>
>>>>
>>>> [homes]
>>>> browseable = No
>>>> comment = Home Directories
>>>> create mask = 0700
>>>> directory mask = 0700
>>>> hide files = /~*.tmp/profile/desktop.ini/~$*/
>>>> path = /home
>>>> read only = No
>>>> valid users = "@utilisateurs du
>>>> domaine at IPGAD.PASTEUR-CAYENNE.FR"
>>>>
>>>> May you help me to understand/solve the situation ?
>>>>
>>>> EdG
>>>>
>>>
>>>
>
More information about the samba
mailing list