[Samba] 4.15 windows ACL share. Not taking?

Gregory Sloop gregs at sloop.net
Thu Mar 3 17:33:37 UTC 2022

I should note that I noticed something pretty similar, I think. 
I was way less systematic about it, but there was something quite odd about the Administrator account and being able to access shares (or more accurately, NOT being able to access them.)
In my case, it occurred with _both_ 4.15.3 and 4.15.5.
And using another domain admin equivalent account "fixed" it. (Which was odder still.)
I just figured I'd done something stupid and hadn't had any time to tinker or test to see why.
Just thought I'd chime in as a "Yeah, I've noticed something odd too."
It's totally possible that this isn't the same issue, and my problems are self-inflicted, but my feeling is that it's the same root problem.

> On 02 March 2022 18:40 spindles seven wrote:

>> On 02 March 2022 17:05 Rowland Penny wrote:

>>> On Wed, 2022-03-02 at 16:48 +0000, spindles seven via samba wrote:

>>>> On 02 March 2022 13:33 Rowland Penny wrote:

>>>>> On Wed, 2022-03-02 at 09:39 +0000, Manu Baylac via samba wrote:

>>>>>> Le 28/02/2022   20:26, Rowland Penny via samba a  crit :

>>> I feel that this must be an artefact of the recent CVE updates, I have
>>> never used that line myself, but Louis has, so presumably it did work
>>> at some point. What I can say is that if you set 'acl_xattr:ignore
>>> system acls = yes' on share when using Samba
>>> 4.15.5 , then that share does not get extended NT ACLS (no '+' sign at
>>> end of Unix
>>> acls) when permissions are set from Windows.
>> Ok that may explain it, but I just did a test with a new share on a member server
>> running Samba 4.15.5 and found that I still get the + after setting the ACLs from
>> Windows and can still use it after adding the
>> 'acl_xattr:ignore system acls = yes' to the share definition.    Do you have to use a
>> brand-new server running
>> Samba version  4.15.5 rather than one that has been upgraded?

> OK, I did another test with a fresh install of Debian Bullseye and Samba 4.15.5 from Louis' repo.
> I've determined that if you use the domain Administrator to set permissions from Windows, then if you
> were to set the line: 'acl_xattr:ignore system acls = yes' in smb.conf the "+" disappears from
> the 'ls' listing and users cannot access the share as the OP and Rowland points out.
> If however, you use a member of Domain Admins to set the permissions from Windows
> then the "+" is retained and users can still access the folder/files after the above line is added to smb.conf.

> Can anyone explain this behaviour?

> Roy

More information about the samba mailing list