[Samba] "missing security tab" and related ACL issues

[Rowland Penny]

On Fri, 9 Nov 2018 15:39:55 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 09.11.18 um 09:06 schrieb Stefan G. Weichinger via samba:
> 
> > We still saw now security tab fpr samba shares in Windows. Not as
> > domain-admin, not as member of a user with the needed privilege.
> > 
> > The security tab is there for local drives and
> > windows-server-shares, only samba-4.8.6-shares miss it.
> > 
> > I will recheck everything ...
> 
> 
> 
> # smbd -b | grep HAVE_LIBACL
>    HAVE_LIBACL
> samba ~ # testparm -sv | grep -i acl
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> 	acl allow execute always = Yes
> 	acl check permissions = Yes
> 	acl group control = No
> 	acl map full control = Yes
> 	force unknown acl user = Yes
> 	inherit acls = No
> 	map acl inherit = Yes
> 	nt acl support = No
> 	vfs objects = acl_xattr full_audit
> 	acl map full control = No
> 	acl map full control = No
> 
> interesting, 3 lines with "acl map full control"
> 
> I have 2 shares with "acl map full control = No"
> 
> is it possible that this is somehow read serially and influences
> shares below as well? I know that behavior from other software.
> 

No, the parameters set on share only affect that share,and they
override global settings.

Can I make some suggestions ?

If this isn't in [global], move it there:

        map acl inherit = Yes

Remove these lines where ever they occur, they are default settings:

	acl check permissions = Yes
	acl group control = No
	acl map full control = Yes
	inherit acls = No

I would remove these, I am sure you don't really need them:

	force unknown acl user = Yes
	nt acl support = No
	acl map full control = No

I would also remove this line, as you have it set, any executable can
be run, even if it isn't set as an executable:

	acl allow execute always = Yes

If you have any concerns about removing these lines, I suggest you
read 'man smb.conf', I think you will see why I suggest removing the
lines ;-)

Rowland