[Samba] Setting permissions on AD member file server
L.P.H. van Belle
belle at bazuin.nl
Tue Mar 15 15:51:57 UTC 2022
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Patrick Goetz via samba
> Verzonden: dinsdag 15 maart 2022 16:30
> Aan: samba at lists.samba.org
...
> >
> > You can try to set:
> > Local Computer Policy > Computer Configuration >
> Administrative Templates > System > Filesystem.
> > Double click and Enable NTFS long paths.
> >
>
> Yes, I did this for all Windows workstations using a domain
> Group Policy and it didn't change anything.
It was worth a try to post it. ;-)
>
>
> >
> >>
> >>
> >>
> >>>
> >>> This seems to be a quasi-sideeffect of that setting - in
> >> short that setting overwrites/resets the posix permissions.
> >> (Provided I understand discussions I've seen about it.)
> >>>
> >>> In this case the share will only be used by Windows users
> >> via CIFS/Samba - so this may well "work" just fine and as a
> >> happy side-effect, make the problem vanish.
> >>> But I'd guess it's not really the "correct" fix.
> >>>
> >>> To that end, what would be the best way to reset the
> >> permissions on the directories/files properly, removing all
> >> the Samba ACL's etc? Once they are set as a baseline in POSIX
> >> then we can tinker with Samba ACL's with the Windows
> >> permissions again. (And remove acl_xattr:ignore system acls = yes)
> >
> > I do this like this.
> > setfacl --recursive --remove-all folder
> > chmod -R o-rwx folder
> > chown -R root:root folder
> > chmod -R 775 folder
> >
> > And start again, how its back to normal.
> >
>
> So that resets the UNIX/POSIX ACLs; how do you reset all the
> Windows ACLs?
That also reset the windows acl's for me.
Hm, only i use this with a backend AD on members.
Im not 100% sure here so carefull But maybe (* did a quick google on it.)
So all honestly stolen from internet.
xattr -d security.NTACL file
So before you run it ;-)
Backup the ACL's.
NTACLS=(< `samba-tool ntacl get /srv/samba/shares/path/to/file/to/copy/ntacls/from --as-sddl`)
samba-tool ntacl set $NTACLS /home/samba/shares/path/to/file/to/overwrite/ntacls
Personaly i have all my base folder there acl's backupped to file.
The path /srv /srv/samba /srv/samba/companydata and all the first level subfolders in company data.
Just handy to have .. Just in case..
For some that might not work, dont ask why, i dont know.
# Capture the NTACL attribute from the good file or directory
ACL=$(getfattr -e base64 -n security.NTACL /path/to/good/file_or_directory)
# Strip off the headers so that the ACL variable only holds the base64 value
ACL=${ACL#*=}
# Set security.NTACL on the bad file or directory
setfattr -n security.NTACL -v $ACL /path/to/bad/file_or_directory
Or
cd /root/of/bad/tree
# Use steps above to set DIRACL and FILEACL from good directory and good file
find . -type d -exec setfattr -n security.NTACL -v $DIRACL "{}" \;
find . -type f -exec setfattr -n security.NTACL -v $FILEACL "{}" \;
>
>
>
> >
> >>
> >> Adding on to this, I would like to completely reset all the Windows
> >> permissions, since the filesystem permissions look good, but
> >> resetting
> >> permissions on some folders fails from Windows. If Windows 10 File
> >> Explorer does not support long paths, then how would someone
> >> use this to
> >> reset permissions on deeply nested folders anyway? I've
> >> determined that
> >> at after a certain path length the security tab disappears from
> >> Properties completely!
> > Interessing, i havent seen that.. I do have seen a bug that
> make security tab go away..
> > But thats long ago fixed.
> >
>
> Create a really long path (> 256 characters) and then see if
> you see the same thing; i.e. when listing Properties on a file or folder
> under this path, is there a Security tab?
>From the "share point" of from the root of disk?
More information about the samba
mailing list