[Samba] Setting permissions on AD member file server

Patrick Goetz pgoetz at math.utexas.edu
Tue Mar 15 16:10:19 UTC 2022 

Re: Windows ACLs:  Thanks!  This is exactly the information I was 
looking for.  See bottom for long path thing.

On 3/15/22 10:51, L.P.H. van Belle via samba wrote:
>   
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Patrick Goetz via samba
>> Verzonden: dinsdag 15 maart 2022 16:30
>> Aan: samba at lists.samba.org
> ...
>>>
>>> You can try to set:
>>> Local Computer Policy > Computer Configuration >
>> Administrative Templates > System > Filesystem.
>>> Double click and Enable NTFS long paths.
>>>
>>
>> Yes, I did this for all Windows workstations using a domain
>> Group Policy and it didn't change anything.
> 
> It was worth a try to post it.  ;-)
> 
>>
>>
>>>
>>>>
>>>>
>>>>
>>>>>     
>>>>> This seems to be a quasi-sideeffect of that setting  - in
>>>> short that setting overwrites/resets the posix permissions.
>>>> (Provided I understand discussions I've seen about it.)
>>>>>     
>>>>> In this case the share will only be used by Windows users
>>>> via CIFS/Samba - so this may well "work" just fine and as a
>>>> happy side-effect, make the problem vanish.
>>>>> But I'd guess it's not really the "correct" fix.
>>>>>     
>>>>> To that end, what would be the best way to reset the
>>>> permissions on the directories/files properly, removing all
>>>> the Samba ACL's etc? Once they are set as a baseline in POSIX
>>>> then we can tinker with Samba ACL's with the Windows
>>>> permissions again. (And remove acl_xattr:ignore system acls = yes)
>>>
>>> I do this like this.
>>> setfacl --recursive --remove-all  folder
>>> chmod -R o-rwx folder
>>> chown -R root:root folder
>>> chmod -R 775 folder
>>>
>>> And start again, how its back to normal.
>>>
>>
>> So that resets the UNIX/POSIX ACLs; how do you reset all the
>> Windows ACLs?
> 
> That also reset the windows acl's for me.
> Hm, only i use this with a backend AD on members.
> 
> Im not 100% sure here so carefull But maybe  (* did a quick google on it.)
> So all honestly stolen from internet.
> 
> 
> xattr -d security.NTACL file
> 
> So before you run it ;-)
> 
> Backup the ACL's.
> NTACLS=(< `samba-tool ntacl get /srv/samba/shares/path/to/file/to/copy/ntacls/from --as-sddl`)
> samba-tool ntacl set $NTACLS /home/samba/shares/path/to/file/to/overwrite/ntacls
> 
> Personaly i have all my base folder there acl's backupped to file.
> The path /srv /srv/samba /srv/samba/companydata and all the first level subfolders in company data.
> Just handy to have .. Just in case..
> 
> 
> For some that might not work, dont ask why, i dont know.
> # Capture the NTACL attribute from the good file or directory
> ACL=$(getfattr -e base64 -n security.NTACL /path/to/good/file_or_directory)
> # Strip off the headers so that the ACL variable only holds the base64 value
> ACL=${ACL#*=}
> # Set security.NTACL on the bad file or directory
> setfattr -n security.NTACL -v $ACL /path/to/bad/file_or_directory
> 
> Or
> cd /root/of/bad/tree
> # Use steps above to set DIRACL and FILEACL from good directory and good file
> find . -type d -exec setfattr -n security.NTACL -v $DIRACL "{}" \;
> find . -type f -exec setfattr -n security.NTACL -v $FILEACL "{}" \;
> 
> 
> 
>>
>>
>>
>>>
>>>>
>>>> Adding on to this, I would like to completely reset all the Windows
>>>> permissions, since the filesystem permissions look good, but
>>>> resetting
>>>> permissions on some folders fails from Windows.  If Windows 10 File
>>>> Explorer does not support long paths, then how would someone
>>>> use this to
>>>> reset permissions on deeply nested folders anyway?  I've
>>>> determined that
>>>> at after a certain path length the security tab disappears from
>>>> Properties completely!
>>> Interessing, i havent seen that.. I do have seen a bug that
>> make security tab go away..
>>> But thats long ago fixed.
>>>
>>
>> Create a really long path (> 256 characters) and then see if
>> you see the same thing; i.e. when listing Properties on a file or folder
>> under this  path, is there a Security tab?
> 
>  From the "share point" of from the root of disk?
> 
> 

Hmm, good question.  I've been measuring this from the root of the disk 
point of view, but my paths are pretty short:

    /data/archives_staging   <--- That's the root of the share

so it probably doesn't matter in my case.  However, I'm guessing Windows 
only knows the path length from the Share point of view, so use that as 
the length metric.

More information about the samba mailing list