[Samba] 4.15 windows ACL share. Not taking?

[Rowland Penny]

On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote:
> On 02 March 2022 13:33 Rowland Penny wrote:
> > On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote:
> > > Le 28/02/2022   20:26, Rowland Penny via samba a  crit :
> [snip]
> > OK, your OS has to know your users and they have to have permission
> > to
> > access/read/write on a share.
> > 
> > Normally when you create a share directory it will get permissions
> > like: drwxr-xr-x 2 root root
> > 
> > From this, you can see that only 'root' can write to the share
> > directory.
> > If you go to windows and set permissions on the share directory,
> > you
> > should be able to, but if you have set 'acl_xattr:ignore system
> > acls =
> > Yes', your users will still not be able to write to the share (and
> > as
> > it has been pointed out, this will be shown by not having a '+'
> > sign at
> > the end of the permissions), without that line, Samba will alter
> > the
> > Unix acls and set NT ACLS and your users will get the permissions
> > you
> > want them to have.
> > 
> > Rowland
> 
> I am now even more confused than before!   The WiKi page for setting
> up the share using Windows ACLs specifically suggests that the
> 'acl_xattr:ignore system acls = Yes' be added to smb.conf. 

It doesn't any more :-)

>   And even with that line in smb.conf for the share,  I do get the +
> at the end of permissions.  All is working fine with my system.   So
> if the + is missing when this line is in smb.conf does this suggest
> that the Windows ACLs are not being saved?

I feel that this must be an artefact of the recent CVE updates, I have
never used that line myself, but Louis has, so presumably it did work
at some point. What I can say is that if you set 'acl_xattr:ignore
system acls = yes' on share when using Samba 4.15.5 , then that share
does not get extended NT ACLS (no '+' sign at end of Unix acls) when
permissions are set from Windows.

Rowland