[Samba] 4.15 windows ACL share. Not taking?

L. van Belle belle at samba.org
Thu Mar 3 10:44:38 UTC 2022 

The problem is... 
If you change a share (per example) from this.. 

[TEST]
          acl_xattr:ignore system acls = yes
          path = /srv/samba/TEST/
          read only = no
 
To this
[TEST]
          path = /srv/samba/TEST/
          read only = no

You MUST re-apply these ACL's since they are stored in different places.
Thats the only problem i see people are making.. 

There are 3 shares i use :  acl_xattr:ignore system acls = yes 
1) \\fq.dn\sysvol 
2) \\fq.dn\users$ 
3) \\fq.dn\profiles$ 

Only in these places i find the option "ignore system acls" to be (can be)
very usefull. 
Now, most of this is an old artifact of older samba versions containing some
bugs.

My advice is, set minimal options in the shares and try to avoid "ignore
system acls" 
Before i got hit on corona i blindly missed settings making me also think
why someone 
couldnt write on a share and one did.. 

I missed these on the share, its that easy to miss something and got trown
off.. 

        read list = @"ADDOM\department1"
        write list = @"ADDOM\department2"

A collega had set them and i didnt know that.. 

Last... 
min domain uid = 0 << this is only a workaround due latest CVE in 4.15.2,
4.14.10 and 4.13.14.
I dont know current status.. Need to catch up on it. 
But if something isnt working, try that one first is my suggestion. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Manu 
> Baylac via samba
> Verzonden: woensdag 2 maart 2022 19:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] 4.15 windows ACL share. Not taking?
> 
> Le 02/03/2022 à 18:05, Rowland Penny via samba a écrit :
> 
> > I feel that this must be an artefact of the recent CVE 
> updates, I have
> > never used that line myself, but Louis has, so presumably 
> it did work
> > at some point. What I can say is that if you set 'acl_xattr:ignore
> > system acls = yes' on share when using Samba 4.15.5 , then 
> that share
> > does not get extended NT ACLS (no '+' sign at end of Unix acls) when
> > permissions are set from Windows.
> 
> And on last 4.14.x Louis package, same "problem".
> 
> --
> Manu
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list