[Samba] 4.15 windows ACL share. Not taking?
rpenny at samba.org
Wed Mar 2 17:05:28 UTC 2022
On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote:
> On 02 March 2022 13:33 Rowland Penny wrote:
> > On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote:
> > > Le 28/02/2022 20:26, Rowland Penny via samba a crit :
> > OK, your OS has to know your users and they have to have permission
> > to
> > access/read/write on a share.
> > Normally when you create a share directory it will get permissions
> > like: drwxr-xr-x 2 root root
> > From this, you can see that only 'root' can write to the share
> > directory.
> > If you go to windows and set permissions on the share directory,
> > you
> > should be able to, but if you have set 'acl_xattr:ignore system
> > acls =
> > Yes', your users will still not be able to write to the share (and
> > as
> > it has been pointed out, this will be shown by not having a '+'
> > sign at
> > the end of the permissions), without that line, Samba will alter
> > the
> > Unix acls and set NT ACLS and your users will get the permissions
> > you
> > want them to have.
> > Rowland
> I am now even more confused than before! The WiKi page for setting
> up the share using Windows ACLs specifically suggests that the
> 'acl_xattr:ignore system acls = Yes' be added to smb.conf.
It doesn't any more :-)
> And even with that line in smb.conf for the share, I do get the +
> at the end of permissions. All is working fine with my system. So
> if the + is missing when this line is in smb.conf does this suggest
> that the Windows ACLs are not being saved?
I feel that this must be an artefact of the recent CVE updates, I have
never used that line myself, but Louis has, so presumably it did work
at some point. What I can say is that if you set 'acl_xattr:ignore
system acls = yes' on share when using Samba 4.15.5 , then that share
does not get extended NT ACLS (no '+' sign at end of Unix acls) when
permissions are set from Windows.
More information about the samba