[Samba] Setting permissions on AD member file server
pgoetz at math.utexas.edu
Tue Mar 15 15:30:25 UTC 2022
On 3/15/22 10:01, L.P.H. van Belle via samba wrote:
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Patrick Goetz via samba
>> Verzonden: dinsdag 15 maart 2022 14:58
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Setting permissions on AD member file server
>> On 3/14/22 17:41, Gregory Sloop via samba wrote:
>>> I've had a little time to tinker and one thing I've found.
>>> Unless I have [acl_xattr:ignore system acls = yes] set, I
>> can't edit permissions at all.
>>> (I set it globally, though a share level setting would
>> probably work on a per-share basis.)
>> There must be another issue here. I have:
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
> You can remove : store dos attributes = yes
> The default has changed to yes in Samba release 4.9.0 and above
>> set in smb.conf and most certainly can edit permissions from Windows,
>> although this has also failed in some cases for reasons I
>> haven't been
>> able to pinpoint (but am guessing is related to the long path issue).
> You can try to set:
> Local Computer Policy > Computer Configuration > Administrative Templates > System > Filesystem.
> Double click and Enable NTFS long paths.
Yes, I did this for all Windows workstations using a domain Group Policy
and it didn't change anything.
>>> This seems to be a quasi-sideeffect of that setting - in
>> short that setting overwrites/resets the posix permissions.
>> (Provided I understand discussions I've seen about it.)
>>> In this case the share will only be used by Windows users
>> via CIFS/Samba - so this may well "work" just fine and as a
>> happy side-effect, make the problem vanish.
>>> But I'd guess it's not really the "correct" fix.
>>> To that end, what would be the best way to reset the
>> permissions on the directories/files properly, removing all
>> the Samba ACL's etc? Once they are set as a baseline in POSIX
>> then we can tinker with Samba ACL's with the Windows
>> permissions again. (And remove acl_xattr:ignore system acls = yes)
> I do this like this.
> setfacl --recursive --remove-all folder
> chmod -R o-rwx folder
> chown -R root:root folder
> chmod -R 775 folder
> And start again, how its back to normal.
So that resets the UNIX/POSIX ACLs; how do you reset all the Windows ACLs?
>> Adding on to this, I would like to completely reset all the Windows
>> permissions, since the filesystem permissions look good, but
>> permissions on some folders fails from Windows. If Windows 10 File
>> Explorer does not support long paths, then how would someone
>> use this to
>> reset permissions on deeply nested folders anyway? I've
>> determined that
>> at after a certain path length the security tab disappears from
>> Properties completely!
> Interessing, i havent seen that.. I do have seen a bug that make security tab go away..
> But thats long ago fixed.
Create a really long path (> 256 characters) and then see if you see the
same thing; i.e. when listing Properties on a file or folder under this
path, is there a Security tab?
More information about the samba