[Samba] 4.15 windows ACL share. Not taking?

John Ericsson zendal.darkman at gmail.com
Tue Mar 1 19:32:46 UTC 2022


I am not sure how mailing lists work when it comes to replying. Hope this
does not mess anything up.
Thank you for replying, Extra special thanks to my very good friend "Manu
Baylac" for the "me too" post. The proposed solution worked!
At the end of this message is the smb.conf that does NOT work. There is a
lot of stuff in there due to a copy and paste from a working 4.14 prod
server. The commented out lines were always commented out, (just ignore
them)
HOWEVER to get it to work I just commented out
"acl_xattr:ignore system acls = yes" and it started working . I think I had
to restart the services rather that a reload command ..but maybe not.

I should add "work" means for the first time I saw the "+" . I have not
tested subfolder etc.
"Not work" meant no matter what I did in computer manager, that looked like
it was working there was no "+" and no users could get access.


[global]
security = ADS
workgroup = XX.com
realm = XX.com

log file = /var/log/samba/%m.log
log level = 4


dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
min domain uid = 0
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config XX : backend = rid
idmap config XX : range = 10000-5999999
#winbind refresh tickets = yes

template shell = /bin/false
template homedir = /home/%U

username map = /usr/local/samba/etc/user.map

full_audit:prefix = %u|%I|%m|%S
full_audit:success = open close read write create_file renameat unlinkat
pwrite_send pwrite_recv
full_audit:failure = connect
full_audit:facility = local5
full_audit:priority = NOTICE

map to guest = never
restrict anonymous = 2
map to guest = never
restrict anonymous = 2
vfs objects = acl_xattr
map acl inherit = yes

#server signing = mandatory
#hello sexy
#server min protocol = SMB3_11
#server smb encrypt = required
#server smb3 encryption algorithms = AES-128-GCM

[demo]
path = /export/demo/
read only = no
acl_xattr:ignore system acls = yes


On Mon, Feb 28, 2022 at 7:27 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 2022-02-28 at 19:08 +0000, Manu Baylac via samba wrote:
> >       Hello Rowland,
> >
> >
> >
> > I did more tests, and :
> >
> > If I put acl_xattr:ignore system acls = yes in my share, it "fails",
> > the
> > "+" isn't here and my Windows ACL not applied.
>
> Your Windows ACL is being applied, just not where you think it is. If
> you read the line, it tells you what it will do, it will ignore the
> system acls.
>
> Samba will potentially store permissions in three places:
>
> The normal Unix acl (ugo)
> An extended ACL set by 'setfacl' and shown by 'getfacl' (this is where
> the '+' comes from)
> Windows ACLs stored in an Extended attribute (aka EA)
>
> If you do not set 'acl_xattr:ignore system acls = yes' a best effort
> will be done to map the windows ACLs to the Unix acls, this where ugo
> and setfacl come in. If you do set it, the mapping will not be done.
>
> >
> > But if I comment this line and then my share is only :
> >
> > [TEST]
> > #       acl_xattr:ignore system acl = yes
>
> That is not a valid line, so it will not be used, even if you uncomment
> it.
>
> >          path = /srv/samba/TEST/
> >          read only = no
> >
> > Then all works fine, the "+" is back and I can config ACL with total
> > success.
>
> Yes, but why are you adding that line (even if it is wrong) if want to
> use setfacl ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list