[Samba] 4.15 windows ACL share. Not taking?

spindles seven spindles7 at gmail.com
Thu Mar 3 17:21:33 UTC 2022

On 02 March 2022 18:40 spindles seven wrote:
> On 02 March 2022 17:05 Rowland Penny wrote:
> > On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote:
> > > On 02 March 2022 13:33 Rowland Penny wrote:
> > > > On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote:
> > > > > Le 28/02/2022   20:26, Rowland Penny via samba a  crit :
> >
> > I feel that this must be an artefact of the recent CVE updates, I have
> > never used that line myself, but Louis has, so presumably it did work
> > at some point. What I can say is that if you set 'acl_xattr:ignore
> > system acls = yes' on share when using Samba
> > 4.15.5 , then that share does not get extended NT ACLS (no '+' sign at
> > end of Unix
> > acls) when permissions are set from Windows.
> >
> Ok that may explain it, but I just did a test with a new share on a member server
> running Samba 4.15.5 and found that I still get the + after setting the ACLs from
> Windows and can still use it after adding the
> 'acl_xattr:ignore system acls = yes' to the share definition.    Do you have to use a
> brand-new server running
> Samba version  4.15.5 rather than one that has been upgraded?

OK, I did another test with a fresh install of Debian Bullseye and Samba 4.15.5 from Louis' repo.
I've determined that if you use the domain Administrator to set permissions from Windows, then if you
were to set the line: 'acl_xattr:ignore system acls = yes' in smb.conf the "+" disappears from
the 'ls' listing and users cannot access the share as the OP and Rowland points out.
If however, you use a member of Domain Admins to set the permissions from Windows
then the "+" is retained and users can still access the folder/files after the above line is added to smb.conf.

Can anyone explain this behaviour?


More information about the samba mailing list