[Samba] 4.15 windows ACL share. Not taking?
pgoetz at math.utexas.edu
Wed Mar 2 17:12:30 UTC 2022
On 3/2/22 10:48, spindles seven via samba wrote:
> I am now even more confused than before! The WiKi page for setting up the share using Windows ACLs specifically suggests that the 'acl_xattr:ignore system acls = Yes' be added to smb.conf. And even with that line in smb.conf for the share, I do get the + at the end of permissions. All is working fine with my system. So if the + is missing when this line is in smb.conf does this suggest that the Windows ACLs are not being saved?
This is something generally confusing about network filesystems that one
of the NFS developers finally straightened me out on:
Think of it like this: your brother has 2 cookies. You want one of them,
so you ask your mother "can I have one of Bob's cookies?" Even if your
mom says yes, your attainment of the cookie is dependent on Bob's
cooperation; i.e. if Bob doesn't want to give you the cookie, you're not
getting the cookie.
Same is true of network filesystems. If the UNIX permissions on a file are
drwxr-xr-x 2 root root
only the root user can write to that file. Your Windows desktop user can
try and write to the file all day long with full permission from Windows
ACLs (mom), but linux (Bob), the owner of the file, is going to say no
every time. This is precisely why Samba rewrites the linux permissions
(using POSIX ACLs, because that's currently the closest match to the
granularity of Windows permissions). Think of this as mom (now Samba is
the mom) dropping the hammer on Bob and telling him "put one of those
cookies on the counter for Roy or else!"
At least this is how NFS works, and I'm assuming that Samba works the
same way, since anything else would be a security hole the size of Texas.
More information about the samba