[Samba] simple permission scheme messed up with unwanted ACLs - how to fix?

Valentijn Sessink v.sessink at openoffice.nl
Fri Feb 11 13:29:44 UTC 2022 

Hi Patrick,

Thanks for your answer.

On 10-02-2022 23:35, Patrick Goetz via samba wrote:
> This is an aside, but unless you're running a domain controller it's not 
> clear why you're using Samba at all if you don't have any Windows 
> machines. It's easier to use NFS for a linux/Mac environment.

Actually, that's how it used to be: the linux machines had their /home 
mounted on the server with NFS4, with Kerberos authentication and all. 
But NFS has its own problems - my guess is that it was too complicated 
to get the Macs to connect to NFS, or that the user level security was a 
problem, or the need to keep local userIDs in sync - I'm not sure, it's 
a long time ago. I don't think we even tried to setup NFS4/Kerberos 
authentication on any Mac. And as most OSs have password managers 
built-in now, the great advantage of Kerberos for single sign-on (which 
to end users just means "not having to remember any extra passwords") 
has greatly diminished, IMHO.

>      ea support = no
> applies to attributes (not ACLs) and consequently won't help you, 

Thanks. (It probably shows how confused I was ;-)

> Are you using extended ACLs on your file server?

They are there, but I'm not using any.

[...]

Thanks for your explanation - helped to see things in perspective and I 
guess I'm fine with the current settings for now.

Regarding my problem:

> If that's insufficient, provide us with an example of what you're 
> talking about in addition to the [global] section of your smb.conf file.
... A few hours after my post, I found yet another ACL option, namely 
"fruit:nfs_aces". I set this to "no" and since then, no more ACLs have 
been added to any files. So my guess is that vfs_fruit was the culprit: 
"A global option whether support for querying and modifying the UNIX 
mode of directory entries via NFS ACEs is enabled, default yes."

I still don't know why these apple computers were changing ACLs anyway. 
But I guess that's a question for an Apple forum, not this list ;-)

Best regards,

Valentijn
-- 
http://www.openoffice.nl/   Open Office - Linux Office Solutions
Valentijn Sessink  v.sessink at openoffice.nl  +31(0)20-4214059

More information about the samba mailing list