[Samba] Making the home share work with POSIX ACLs

Patrick Goetz pgoetz at math.utexas.edu
Fri Nov 5 09:50:57 UTC 2021 

The Wiki page here:
  https://wiki.samba.org/index.php/Windows_User_Home_Folders

states: "When you set up the users share using POSIX access control 
lists (ACL), you must create the home folder for each new user manually."

That's simply wrong.

This works, but not quite how I expected. Using RSAT, I go to the user's 
Profile tab and enter

   Connect:  H:  \\data2\home\mduffy

As soon as I apply this, the home folder is indeed created:

root at data2:/home# ls
mduffy  patrickgoetz  pgoetz

(mduffy was not there prior to editing the mduffy Profile using RSAT)

and domain user mduffy has full access:

root at data2:/home# su - mduffy
mduffy at data2:~$ pwd
/home/mduffy
mduffy at data2:~$ touch foo
mduffy at data2:~$ ls -l foo
-rw-rw----+ 1 mduffy domain users 0 Nov  5 03:34 foo
mduffy at data2:~$ rm foo
mduffy at data2:~$ ls
mduffy at data2:~$

However, the permissions are not exactly what I was expecting:

root at data2:/home# getfacl mduffy
# file: mduffy
# owner: root
# group: root
user::rwx
user:root:rwx
user:mduffy:rwx
group::---
group:root:---
group:BUILTIN\\administrators:rwx
group:mduffy:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:mduffy:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\\administrators:rwx
default:group:mduffy:rwx
default:mask::rwx
default:other::---


It's a bit weird that root owns the user's home folder, but of course 
the accompanying POSIX ACLs makes this transparent to the user. I think 
this is an illustration of what Jeremy Allison meant in a recent post to 
the list that Samba goes to great lengths to make both Windows and linux 
users experience expected behavior when using POSIX ACLs on the file 
system, and the preceding illustrates this.

As a long time linux admin, these permissions are a bit unnerving until 
you think about how default Windows filesystem permissions are 
structured. Then given that, this is pretty ingenious. Kudos to the 
Samba team for thinking this through, but the Wiki page on this is 
completely misleading and incorrect.

Originally (because of the incorrect Wiki page on User Home Folders), I 
thought I needed to do something like this to make this work:

  # cd /
  # chmod 770 home
  # setfacl -m g:"domain admins":rwx

but as soon as you let the DC auto-create a user's home folder you 
realize Domain Admins isn't even involved in this process; it's a 
BUILTIN admin that's in charge.

Aside: the thing about POSIX ACLs that trips up most people (including 
me when I first started using them) is the principle of "least 
surprise", or whatever they call it. In the example above, you have to 
give the root *group* write permission on /home or the *effective* 
permissions of Domain Admins in the above ends up being r-x, and Domain 
Admins won't be able to write to the home folder.

Given this, I'm a bit confused why this ACL:

   group:root:---

isn't preventing this one from working properly:

   group:BUILTIN\\administrators:rwx

given that:

   root at data2:/data/home# ls -ld mduffy
   drwxrwx---+ 2 root root 4096 Nov  5 03:34 mduffy

i.e. the primary group on the folder is root.


And, a couple of functional follow up questions, since I'm not a Windows 
guy:

Isn't it normally the case that the Domain Admins group has "full 
access" to the entire filesystem?  In that case, one would want to do this:

  # setfacl -d -m g:"domain admins":rwx  my_share_folder

and if there are already files/folders there:

  # setfacl -R -m g:"domain admins":rwX my_share_folder

The question is when Windows users subsequently pull up the Security tab 
on a file/folder in the my_share_folder, will it show Domain Admins as 
have Full Control?

Finally, I don't recall specifying the use of POSIX ACLs in smb.conf 
other than this, which I though applied generically to Windows and POSIX 
ACLs:

    vfs objects = acl_xattr

For some reason every smb.conf example also shows

    map acl inherit = Yes
    store dos attributes = Yes

but according to the documentation, these are automatically enforced 
when "vfs objects = acl_xattr", so are unnecessary.  (That's also a 
question.)

How does Samba know I want to use POSIX ACLs?

More information about the samba mailing list