[Samba] SMB Windows ACL functionality

Rowland Penny rpenny at samba.org
Tue Jul 12 14:43:10 UTC 2022 

On Tue, 2022-07-12 at 13:36 +0100, Rowland Penny via samba wrote:
> On Mon, 2022-07-11 at 22:58 -0300, Bailey Allison via samba wrote:
> > Good evening,
> > 
> >  
> > 
> > I am currently trying to setup an SMB share using Windows ACLs for
> > permissions per the article:
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
> > 
> 
> OK, I followed the wiki and added a couple of shares to a Debian Unix
> domain member running 4.15.7.
> 
> One had 'acl_xattr:ignore system acls = yes' set, the other didn't.
> 

I carried out the same tests on another machine (this time using
'rid'), but this computer did not map Administrator to root with a
user.map

Everything else was the same.
Logged into Win10 as Administrator, I couldn't change anything, I
expected this.

Logged in as myself, I could alter the permissions on the share that
didn't have 'acl_xattr:ignore system acls = yes' set, but on the other,
I got:

An error occured while applying security information to
\\mintclient\acltest2

Failed to enumerate objects in the container. Access is denied.


When I checked the ACLs with samba-tool, I got these:

sudo samba-tool ntacl get /srv/acl1 --as-sddl
O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849-
2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-
0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01f
f;;;S-1-5-21-1768301897-3342589593-1064908849-2122)

sudo samba-tool ntacl get /srv/acl2 --as-sddl
O:S-1-22-1-0G:S-1-5-21-1768301897-3342589593-1064908849-
2122D:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-1768301897-
3342589593-1064908849-
2122)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;O
ICIIO;0x001200a9;;;WD)

They are different, this is probably to be expected.

It looks to me that the user.map is required, but you shouldn't set
permissions from Windows as Administrator, you should set them as a
user that is a member of 'Administrators' or 'Domain Admins', or is a
member of group that is a member of either group.

it also looks like you should set 'acl_xattr:ignore system acls = yes'
on the shares if setting permissions from Windows, but only if you also
set a user.map and never change the permissions as Administrator.

Now to phrase all that in a way suitable for the wiki.

Rowland

More information about the samba mailing list