[Samba] Samba, ACLs and 'primary group'...

Marco Gaiarin gaio at sv.lnf.it
Wed Feb 5 11:39:57 UTC 2020 

My previous email on this topic get no answer, i try to explain me
better.


The problem.

Simply i was (ab)used, in my previous samba NT-mode domains, to have
file created with the group-owner as the UNIX primary group; now, in
AD, files get created group-owned by Windows primary group, eg 'Domain
Users'.
This simply 'breaks' most of my ACLs setup.


I've read:
	https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
	https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

but still many things does not 'match' with my experience.


First, seems to me that there's no a 'black or white' things (eg: POSIX
or Windows ACL) but still there's some 'gray zone' where things are
different. For example, in my main share i have (directly caming from
NT setup):

 [Media]
	comment = Contenuti Multimediali
	map acl inherit = Yes
	path = /srv/media
	read only = No
	store dos attributes = Yes
	vfs objects = acl_xattr
	volume = Media

so my setup seems a 'Windows ACL', but still i have 'CREATOR OWNER' and
'CREATOR GROUP'.


Second, in intimacy with the first, seems to me that the real
differences between 'POSIX' and 'Windows' ACL is not only 'acl_xattr'
module, but also how ACL are sytetized, eg 'acl_xattr:default acl
style' and/or 'acl_xattr:ignore system acls'.


So, AFAI've understood, at least three options exist:

a) POSIX-only, eg vfs objects 'acl_xattr' NOT loaded.

b) Windows-only, eg:
	vfs objects = acl_xattr
	acl_xattr:ignore system acls = yes
	acl_xattr:default acl style = windows

c) 'gray zone': samba (try to) synthetize windows ACL in POSIX ACL, as
 a best effort: vfs objects 'acl_xattr' loaded, but default ACL style
to posix.


So, caming back to my 'problem' (eg: prevent new file/folder created be
group-owned by 'Domain Users'), seems to me i have only two way to
solve that:

1) switch to windows only ACL, so i don't have 'CREATOR GROUP'; i have
 also some Linux workstation, i'm a bit 'scared' of this...

2) set 'SGID' bit on directory, so files get created 'parent dir owned'
 and not 'primary group owned'.


I'm totally wrong? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list