[Samba] 4.15 windows ACL share. Not taking?

Rowland Penny rpenny at samba.org
Wed Mar 2 13:32:47 UTC 2022 

On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote:
> 	Hello Rowland,
> 
> 
> 	Thanks for your reply.
> 
> 
> Le 28/02/2022 à 20:26, Rowland Penny via samba a écrit :
> 
> > Your Windows ACL is being applied, just not where you think it is.
> > If
> > you read the line, it tells you what it will do, it will ignore the
> > system acls.
> > 
> > Samba will potentially store permissions in three places:
> > 
> > The normal Unix acl (ugo)
> > An extended ACL set by 'setfacl' and shown by 'getfacl' (this is
> > where
> > the '+' comes from)
> > Windows ACLs stored in an Extended attribute (aka EA)
> > 
> > If you do not set 'acl_xattr:ignore system acls = yes' a best
> > effort
> > will be done to map the windows ACLs to the Unix acls, this where
> > ugo
> > and setfacl come in. If you do set it, the mapping will not be
> > done.
> 
> Yes I read the man page, but it isn't clear for me, see below.
> 
> > > But if I comment this line and then my share is only :
> > > 
> > > [TEST]
> > > #       acl_xattr:ignore system acl = yes
> > 
> > That is not a valid line, so it will not be used, even if you
> > uncomment
> > it.
> Sorry, typo, yes i have set "acls"
> 
> > Yes, but why are you adding that line (even if it is wrong) if want
> > to
> > use setfacl ?
> 
> I don't want to use setfacl, I want to use Windows ACL and configure
> them from a Windows computer.
> But when I read the wiki page, it says
> "Samba stores the file system permissions in extended file system
> access
> control lists (ACL) and in an extended attribute" so I thought I
> would
> expect a "+" on the share.
> 
> I read again the wiki page but it isn't clear for me.
> 
> I did more test, and like John said in its second mail, if I just put
> :
> [TEST]
>          # acl_xattr:ignore system acls = yes
>          path = /srv/samba/TEST/
>          read only = no
> 
> All works fine.
> 
> If i uncomment the normally expected qcl_xattr line, the it fails, a
> user who have permissions can't even browse the share.
> 
> Well, I'm lost :-(

Have you tried retracing your steps, to get back to where you started
from ? :-D:-D

OK, your OS has to know your users and they have to have permission to
access/read/write on a share.

Normally when you create a share directory it will get permissions
like: drwxr-xr-x 2 root root

>From this, you can see that only 'root' can write to the share
directory.
If you go to windows and set permissions on the share directory, you
should be able to, but if you have set 'acl_xattr:ignore system acls =
Yes', your users will still not be able to write to the share (and as
it has been pointed out, this will be shown by not having a '+' sign at
the end of the permissions), without that line, Samba will alter the
Unix acls and set NT ACLS and your users will get the permissions you
want them to have.

Rowland

More information about the samba mailing list