[Samba] Standalone server and POSIX ACL issues (new one)

[subscriptions]

On 8/9/19 3:18 PM, Yvan Masson via samba wrote:
> Hi list,
>
> For testing purpose, I am running a standalone Samba 4.9.5 on Debian 
> with the following smb.conf:
>
> [global]
> server role = standalone server
> map to guest = Bad User
> guest account = nobody
>
> [test]
> path = /home/yvan/Partage/share
> guest ok = yes
> writable = yes
> inherit acls = yes
>
>
> I want "bob", "alice" and guest user to have full access to all files 
> in this share, so I made /home/yvan/share with the following ACL:
> $ getfacl share
> # file: share
> # owner: root
> # group: root
> user::rwx
> user:bob:rwx
> user:alice:rwx
> user:nobody:rwx
> group::r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:bob:rwx
> default:user:alice:rwx
> default:user:nobody:rwx
> default:group::---
> default:mask::rwx
> default:other::---
>
>
> I have two issues with this setup that I could not solve after many 
> hours:
>
> 1. I can mount the share as guest but then can't read its content, 
> although local access works fine (for example with `$ sudo -u nobody 
> touch /home/yvan/share/foo`).
>
> 2. If user "bob" or "alice" creates a directory or a file, ACL mask is 
> not "rwx" but "r-x" for directories and "r--" for files (which 
> restricts effective rights). All other ACL are correct. Note that when 
> creating files or directories locally, ACL mask is properly setup to 
> "rwx".
>
> Any idea is really welcome !
>
> Best regards,
> Yvan
>
Yvan,

What I do is create two groups. First group has full access. The other 
group have the normal permissions besides Bob and Alice.

I think it gives you better control over the users. They come and go so 
its easier to drop them from and group and add them to another.

IMHO