[Samba] SMB Windows ACL functionality
Rowland Penny
rpenny at samba.org
Tue Jul 12 12:36:12 UTC 2022
On Mon, 2022-07-11 at 22:58 -0300, Bailey Allison via samba wrote:
> Good evening,
>
>
>
> I am currently trying to setup an SMB share using Windows ACLs for
> permissions per the article:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
OK, I followed the wiki and added a couple of shares to a Debian Unix
domain member running 4.15.7.
One had 'acl_xattr:ignore system acls = yes' set, the other didn't.
I logged into Win10 as Administrator and opened the Unix computer in
Explorer.
I then set 'Unix Admins' (which is a member of Domain Admins) to have
full permissions on the shares. I did this via the security tab in
Properties.
Going back to the Unix domain member and checking the permissions on
the shares with getfacl, returns this:
getfacl /srv/acl1
getfacl: Removing leading '/' from absolute path names
# file: srv/acl1
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
group::rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:unix\040admins:rwx
default:mask::rwx
default:other::r-x
getfacl /srv/acl2
getfacl: Removing leading '/' from absolute path names
# file: srv/acl2
# owner: root
# group: unix\040admins
user::rwx
group::rwx
other::---
'acl2' is the share with 'acl_xattr:ignore system acls = yes' set
This is what I would expect.
I then checked them with 'samba-tool ntacl get'
sudo samba-tool ntacl get /srv/acl1 --as-sddl
O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849-
2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-
0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f
f;;;S-1-5-21-1768301897-3342589593-1064908849-2122)
sudo samba-tool ntacl get /srv/acl2 --as-sddl
O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849-
2122D:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-1768301897-
3342589593-1064908849-
2122)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;O
ICIIO;0x001200a9;;;WD)
This results in different output.
I then repeated the above with two new shares, but logged into Win10 as
myself (a member of Unix Admins and Domain Admins), this time, the
outputs of the two samba-tool commands are identical.
sudo samba-tool ntacl get /srv/acl3 --as-sddl
O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849-
2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-
0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f
f;;;S-1-5-21-1768301897-3342589593-1064908849-2122)
sudo samba-tool ntacl get /srv/acl4 --as-sddl
O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849-
2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-
0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f
f;;;S-1-5-21-1768301897-3342589593-1064908849-2122)
Why do I get different results depending on who is logged into Win10 ?
I am going to do some more testing without Administrator.
Rowland
More information about the samba
mailing list