[Samba] Setting permissions on AD member file server

Gregory Sloop gregs at sloop.net
Mon Mar 14 22:41:09 UTC 2022

I've had a little time to tinker and one thing I've found.
Unless I have [acl_xattr:ignore system acls = yes] set, I can't edit permissions at all.
(I set it globally, though a share level setting would probably work on a per-share basis.)
This seems to be a quasi-sideeffect of that setting  - in short that setting overwrites/resets the posix permissions. (Provided I understand discussions I've seen about it.)
In this case the share will only be used by Windows users via CIFS/Samba - so this may well "work" just fine and as a happy side-effect, make the problem vanish.
But I'd guess it's not really the "correct" fix.
To that end, what would be the best way to reset the permissions on the directories/files properly, removing all the Samba ACL's etc? Once they are set as a baseline in POSIX then we can tinker with Samba ACL's with the Windows permissions again. (And remove acl_xattr:ignore system acls = yes)
(I'm not making any claims about "Administrators" vs "Domain Admins" and permissions in this post. I'm simply trying to deduce what's going on, and talk about a single thing that make it work differently, perhaps more or less inadvertently.)

> On 12 March 2022 09:22 Rowland Penny wrote:

>> On Fri, 2022-03-11 at 22:48 +0000, spindles seven via samba wrote:

>>> On 11 March 2022 22:26 Rowland Penny wrote:

>>>> I take it you found that out from here:

>>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_AC
>>>> Ls#Addi
>>>> ng_a_Share

>>> Yes indeed.
>>>> That is what I was getting at, it used to work. A member of Domain
>>>> Admins logged into Windows could change the permissions on a share,
>>>> provided everything was set up correctly on the Unix domain member.
>>>> I can now only do this with Administrator.

>>>> Rowland
>>> works for me (on version 4.15.5), so what's different?
>> I am using 4.15.5 and it doesn't work for me, it used to, but it doesn't any longer.

>> Rowland
> OK, so using a test installation of Debian Bullseye in a VM and Samba 4.15.5, I left the domain and cleaned up the samba database files as per the WiKi.   I deleted the existing folders ie /srv/samba and all sub folders.     Using that same page in the WiKi (https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member) I joined the domain.    This is the smb.conf at that stage:

> [global]

>         security = ADS
>         workgroup = MICROLYNX
>         realm = MICROLYNX.ORG

>         log file = /var/log/samba/%m.log
>         log level = 1

>         winbind use default domain = yes

>         # Default idmap config used for BUILTIN and local accounts/groups
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999

>         # idmap config for domain MICROLYNX
>         idmap config MICROLYNX:backend = rid
>         idmap config MICROLYNX:range = 10000-99999

>         # next two lines for testing only - comment-out once working ok
>         winbind enum users = yes
>         winbind enum groups = yes

>         template shell = /bin/bash
>         template homedir = /srv/samba/users/%U

>         vfs objects = acl_xattr
>         map acl inherit = yes
>         username map = /etc/samba/user.map

>         # allow administrator to access having been mapped to root (uid 0)
>         min domain uid = 0
> ==========
> I then added shares [users] and [test] as follows:

> [users]
>         # user homedirs
>         path = /srv/samba/users
>         read only = no
>         acl_xattr:ignore system acls = yes

> [test]
>         path = /srv/samba/test
>         read only = no

> I set the Unix permissions as follows:
> chown root:"Domain Admins" /srv/samba/users
> chown root:"Domain Admins" /srv/samba/test
> chmod 0770 /srv/samba/users
> chmod 0770 /srv/samba/test

> I granted Domain Admins the SeDiskOperatorPrivilege on the test server then attempted to set the permissions from Windows using the WiKi page: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

> I logged onto Windows 10 using a user who is a member of Domain Admins and was able to set permissions correctly using Computer Management on the [test] share, but not on the [users] share;   to allow the permissions to be applied from windows initially, I had to temporarily comment out the "acl_xattr:ignore system acls = yes" line and reload the smb config.  Once set, I removed the comment (#) from that line.

> On the Users share I set:
> Domain Admins   Full Control            This folder only
> CREATOR OWNER   Full Control            Subfolders and files only
> SYSTEM  Full Control            This folder, subfolders and files
> Authenticated Users     Special*        This folder only

> * Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Create folders/append data, Read permissions

> The folder looks like this as seen from Linux:
> root at m2test:~# ls -l /srv/samba
> total 16
> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 test
> drwxrwx---+ 2 root domain admins 4096 Mar 13 11:47 users
> root at m2test:~# getfacl /srv/samba/users
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/users
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> group::rwx
> group:NT\040Authority\\authenticated\040users:rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:---
> default:mask::rwx
> default:other::---

> So following the WiKi as close as possible, I am able to set permissions using a Domain Admins account, not sure why your system is preventing you?

> Thanks for your invaluable help as always.

> Roy

More information about the samba mailing list