[Samba] 4.15 windows ACL share. Not taking?
Patrick Goetz
pgoetz at math.utexas.edu
Wed Mar 2 17:00:03 UTC 2022
On 3/2/22 03:39, Manu Baylac via samba wrote:
>
> I don't want to use setfacl, I want to use Windows ACL and configure
> them from a Windows computer.
> But when I read the wiki page, it says
> "Samba stores the file system permissions in extended file system access
> control lists (ACL) and in an extended attribute" so I thought I would
> expect a "+" on the share.
>
If you're talking about "+"'s, then this means you're looking at the
files on a linux system. Linux doesn't understand Windows ACLs and
won't comment on them; i.e. you won't see a "+". You will only see the
"+" if you're using POSIX ACLs.
A second point is that attributes and ACLs are not the same thing. I'm
not entirely sure how these things are stored, and it probably depends
on the underlying filesystem (just learned that ZFS affords multiple
options for how attributes are stored, for example), but you use
different commands to set them. For example to make a file read-only,
even for the root user:
chattr +i MY_IMPORTANT_FILE
will make a file immutable -- that's an attribute.
setfacl -m g:MY_GROUP:r MY_OTHER_FILE
gives the group MY_GROUP read access to MY_OTHER_FILE -- that's a POSIX ACL.
I completely agree that this is all insanely confusing when you throw
Windows permissions into the mix and it would be super helpful (HINT!
HINT!) if the algorithm used to determine these mappings were documented
publicly so we can puzzle through the strange things that can happen.
More information about the samba
mailing list