[Samba] "missing security tab" and related ACL issues
Rowland Penny
rpenny at samba.org
Fri Nov 9 16:13:32 UTC 2018
On Fri, 9 Nov 2018 15:39:55 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> Am 09.11.18 um 09:06 schrieb Stefan G. Weichinger via samba:
>
> > We still saw now security tab fpr samba shares in Windows. Not as
> > domain-admin, not as member of a user with the needed privilege.
> >
> > The security tab is there for local drives and
> > windows-server-shares, only samba-4.8.6-shares miss it.
> >
> > I will recheck everything ...
>
>
>
> # smbd -b | grep HAVE_LIBACL
> HAVE_LIBACL
> samba ~ # testparm -sv | grep -i acl
>
> Server role: ROLE_DOMAIN_MEMBER
>
> acl allow execute always = Yes
> acl check permissions = Yes
> acl group control = No
> acl map full control = Yes
> force unknown acl user = Yes
> inherit acls = No
> map acl inherit = Yes
> nt acl support = No
> vfs objects = acl_xattr full_audit
> acl map full control = No
> acl map full control = No
>
> interesting, 3 lines with "acl map full control"
>
> I have 2 shares with "acl map full control = No"
>
> is it possible that this is somehow read serially and influences
> shares below as well? I know that behavior from other software.
>
No, the parameters set on share only affect that share,and they
override global settings.
Can I make some suggestions ?
If this isn't in [global], move it there:
map acl inherit = Yes
Remove these lines where ever they occur, they are default settings:
acl check permissions = Yes
acl group control = No
acl map full control = Yes
inherit acls = No
I would remove these, I am sure you don't really need them:
force unknown acl user = Yes
nt acl support = No
acl map full control = No
I would also remove this line, as you have it set, any executable can
be run, even if it isn't set as an executable:
acl allow execute always = Yes
If you have any concerns about removing these lines, I suggest you
read 'man smb.conf', I think you will see why I suggest removing the
lines ;-)
Rowland
More information about the samba
mailing list