[Samba] ACL - samba vs filesystem

Rowland Penny rpenny at samba.org
Thu Jul 19 11:17:35 UTC 2018


On Thu, 19 Jul 2018 11:46:43 +0100
lejeczek via samba <samba at lists.samba.org> wrote:

> On 19/07/18 10:58, Rowland Penny via samba wrote:
> > On Thu, 19 Jul 2018 10:32:04 +0100
> > lejeczek via samba <samba at lists.samba.org> wrote:
> >
> >> hi guys
> >>
> >> my samba share has
> >>
> >> inherit acls = Yes
> >>
> >> and inherits(I guess) from global:
> >>
> >> create mask = 0744
> >> directory mask = 0755
> >>
> >> Now, share's underlying filesystem has acls set on a folder:
> >>
> >> user::rwx
> >> user:me:rwx
> >> user:appmgr:r-x
> >> group::---
> >> mask::rwx
> >> other::---
> >> default:user::rwx
> >> default:user:me:rwx
> >> default:user:appmgr:r-x
> >> default:group::---
> >> default:mask::rwx
> >> default:other::---
> >>
> >> In shell when I create a file in that folder I see:
> >>
> >>
> >> user::rw-
> >> user:me:rwx            #effective:rw-
> >> user:appmgr:r-x            #effective:r--
> >> group::---
> >> mask::rw-
> >> other::---
> >>
> >> but when make new file in Windows client then shell shows:
> >>
> >> user::rwx
> >> user:me:rwx            #effective:---
> >> user:appmgr:r-x            #effective:---
> >> group::---
> >> mask::---
> >> other::---
> >>
> >> Why is that? Am I missing something in samba's configuration?
> >>
> >> I'm thinking - ideally might be if I got rid of mask but I'm not
> >> sure how.
> >>
> >> many thanks, L.
> >>
> >>
> >>
> > You don't give us much to go on,
> what is it that I did not give out?
> Samba is 4.7.1 on Centos 7.5

You didn't tell us that before ;-)

> Except for:
>   inherit acls = Yes
> everything is samba vanilla default.

Yes, but what 'vanilla default' ?

I have absolutely no idea just how you are running Samba, is it a Unix
domain member, standalone server or what ?

> One thing though is the shares are off glusterfs directly, so:
> 
> fs objects = glusterfs
> glusterfs:volume = GROUP-WORK
> path = /

Well, that is definitely not a 'vanilla' Samba option.

> 
> and local filesystem is a mount via autofs with acl option.

again, not a Samba 'vanilla' option and what 'acl' option ?

> 
> >   but I think you are mixing up using
> I fail to see where I'm mixing those up.
> I do not get how creating files, but also folders, gets me different 
> mask/effective between shell and windows clients, eg of a new folder:

I guessed that you are running a Unix domain member and you CANNOT use
POSIX acls and Windows ACLs at the same time, they mess with each other.

This will be POSIX
> 
> shell's mkdir:
> 
> user::rwx
> user:me:rwx
> user:appmgr:r-x
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:user:me:rwx
> default:user:appmgr:r-x
> default:group::---
> default:mask::rwx
> default:other::---
> 

and this will be Windows ACLs

> windows via samba:
> 
> user::rwx
> user:me:rwx            #effective:r-x
> user:appmgr:r-x
> group::---
> mask::r-x
> other::---
> default:user::rwx
> default:user:me:rwx
> default:user:appmgr:r-x
> default:group::---
> default:mask::rwx
> default:other::---
> 
> and parent folder has:
> 
> user::rwx
> user:me:rwx
> user:appmgr:r-x
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:user:me:rwx
> default:user:appmgr:r-x
> default:group::---
> default:mask::rwx
> default:other::---
> 
> Why samba calculate it differently, I fail to get that.

Because you are trying to get Samba (and the OS) to do two things at
once.

Rowland





More information about the samba mailing list