[Samba] ACLs, groups and suid-bit?
harald+samba at arcada.fi
Tue Sep 8 14:45:23 UTC 2020
On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> On 08/09/2020 14:43, Harald Hannelius wrote:
>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>> On 08/09/2020 13:55, Harald Hannelius wrote:
>>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>> The 'new and improved way' is to make use of this:
>>> vfs objects = acl_xattr
>> This doesn't say much to me (reading the man-page of smb.conf). Does it
>> mean to store ACL's in the extra attributes in the underlying filesystem?
> Yes, it works like this:
> there is the normal Unix 'ugo' permissions
> Then there are permissions that can be set with setfacl, these are stored in
> an acl
> Finally there are the permissions that are created from Windows which are
> stored in extended attributes.
>>> You set the permissions from Windows, try reading this:
>> If I don't have a Windows computer, can I use setfacl or chmod?
> You could try setfacl
Good, until now I haven't even used ACL on that filesystem. setgid and chmod
have been enough until now.
>> Can I just stop using ACL's and go back to the old way of reading the
>> permissions from the unix permissions? User's don't know how to, don't have
>> the interest to, or don't want to do this themselves. Nor do I want to
>> manage the ACL's at all, most certainly not through a GUI (on Windows).
> No, you are running an AD domain now.
As per my other reply that (sadly) forked this thread 'nt acl support = No'
and 'inherit permissions = Yes' did exactly what I wanted.
I couldn't understand why files created in a directory with group 'it' and
setgid set didn't get to be owned by the group 'it' but rather by the group
>> I have to test 'inherit permissions (S)' as well.
>> What I want is for new files in the directory to have the same (unix) group
>> ownership as the directory has. And that they have write permission for
>> that unix-group.
> OK, stop using your group, (which raises a question: you have (unix) above,
> does this mean a group in /etc/group or a group in AD with a gidNumber
> attribute ?), use Domain Users instead, all yours are members of Domain
By unix-group I actually meant the group on the filesystem (gidNumber). This
resolves through winbind to an AD-group.
But now I have directories each with their own group, and with the
setgid- and write-bit set. And directories created under this get the
same group owner ship as the parent dir, the group write- and setgid bit,
and files created get the group ownership of the parent dir and the group
write bit set.
I think it's best for this implementation to not use ACL's.
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
More information about the samba