[Samba] Samba, ACLs and 'primary group'...

Rowland penny rpenny at samba.org
Wed Feb 5 11:58:42 UTC 2020


On 05/02/2020 11:39, Marco Gaiarin via samba wrote:
> My previous email on this topic get no answer, i try to explain me
> better.
>
>
> The problem.
>
> Simply i was (ab)used, in my previous samba NT-mode domains, to have
> file created with the group-owner as the UNIX primary group; now, in
> AD, files get created group-owned by Windows primary group, eg 'Domain
> Users'.
> This simply 'breaks' most of my ACLs setup.
>
>
> I've read:
> 	https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
> 	https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> but still many things does not 'match' with my experience.
>
>
> First, seems to me that there's no a 'black or white' things (eg: POSIX
> or Windows ACL) but still there's some 'gray zone' where things are
> different. For example, in my main share i have (directly caming from
> NT setup):
>
>   [Media]
> 	comment = Contenuti Multimediali
> 	map acl inherit = Yes
> 	path = /srv/media
> 	read only = No
> 	store dos attributes = Yes
> 	vfs objects = acl_xattr
> 	volume = Media
>
> so my setup seems a 'Windows ACL', but still i have 'CREATOR OWNER' and
> 'CREATOR GROUP'.
>
>
> Second, in intimacy with the first, seems to me that the real
> differences between 'POSIX' and 'Windows' ACL is not only 'acl_xattr'
> module, but also how ACL are sytetized, eg 'acl_xattr:default acl
> style' and/or 'acl_xattr:ignore system acls'.
>
>
> So, AFAI've understood, at least three options exist:
>
> a) POSIX-only, eg vfs objects 'acl_xattr' NOT loaded.
>
> b) Windows-only, eg:
> 	vfs objects = acl_xattr
> 	acl_xattr:ignore system acls = yes
> 	acl_xattr:default acl style = windows
>
> c) 'gray zone': samba (try to) synthetize windows ACL in POSIX ACL, as
>   a best effort: vfs objects 'acl_xattr' loaded, but default ACL style
> to posix.
>
>
> So, caming back to my 'problem' (eg: prevent new file/folder created be
> group-owned by 'Domain Users'), seems to me i have only two way to
> solve that:
>
> 1) switch to windows only ACL, so i don't have 'CREATOR GROUP'; i have
>   also some Linux workstation, i'm a bit 'scared' of this...
>
> 2) set 'SGID' bit on directory, so files get created 'parent dir owned'
>   and not 'primary group owned'.
>
>
> I'm totally wrong? Thanks.
>
Do you have ANY Windows clients ?

If the answer is yes, then you need to follow the 'Setting up a share 
using windows ACLs' page and make your Linux clients work with this.

If the answer is no, then you can follow the POSIX ACLs page.

Do not try to mix the two.

Rowland





More information about the samba mailing list