[Samba] windows acls

Rowland Penny rpenny at samba.org
Tue Dec 13 18:45:03 UTC 2022 


On 13/12/2022 18:19, Peter Carlson via samba wrote:
> I am seeing some weird problems with windows acls
> 
> At the share (public for all users) I have:
> 
>   * root (Unix User\root) : Full control
>   * root (Unix Group\root) : Full control
>   * Everyone : Full Control
>   * CREATOR OWNER : Full Control
>   * CREATOR GROUP : Read & execute
>   * Everyone : Read & execute
>   * Domain Users : Full Control
> 
> Inheritance is disabled (button in Computer Management\System 
> Tools\Shared Folders\Shares shows "Enable Inheritance")
> 
> When I look at one of the folders in the share (mounted at P:\) I see:
> 
>   * S-1-5-21-185628584-2620904409-2800336372-1105 : Full Control :
>     Inherited From P:\ : This folder only
>   * CREATOR OWNER : Full Control : Inherited From P:\ : Subfolders and
>     files only
>   * Domain Admins : Read & execute : Inherited From P:\ : This folder only
>   * CREATOR GROUP : Read & execute : Inherited From P:\ : Subfolders and
>     files Only
>   * Everyone : Read & execute : Inherited From P:\ : This folder,
>     subfolders and files
>   * Domain Users : Full control : Inherited From P:\ : This folder,
>     subfolders and files
> 
> 1) S-1-5-21-185628584-2620904409-2800336372-1105 - Should I delete 
> this?  it seems to be a broken permission from a previous config?

Is 'S-1-5-21-185628584-2620904409-2800336372' the domain SID ?
Who or what is the RID 1105 ?

> 
> 2) If inheritance is disabled, why do the folders in the share show 
> inherited from P:\ ?
> 
> 3) I am a member of Domain Users and Domain Admins.  I can see files in 
> P:\ but I cant overwrite them or delete them.  It seems to be using the 
> permissions of Domain Admins R+X and not Domain Users Full Control.  yes 
> I know the permissions seem backwards, which is another issue, however 
> shouldn't it allow me write access since I am also a member of Domain 
> Users ?
> 
> Thanks! Peter
> 

Can you post the output of the following commands run on the machine 
that holds the share:

ls -lad /path/to/share/directory

getfacl /path/to/share/directory

samba-tool ntacl get /path/to/share/directory --as-sddl

Can you also post the smb.conf from the same machine.

Rowland

More information about the samba mailing list