[Samba] Remove all Windows ACL's from files/folders
Patrick Goetz
pgoetz at math.utexas.edu
Mon Mar 28 20:36:52 UTC 2022
On 3/28/22 11:43, Jeremy Allison via samba wrote:
>>
>>> It's used as a "pristine" store of the ACL the client sent.
>>> If the underlying native (usually POSIX) ACL is changed outside
>>> of smbd then it is removed as it no longer represents reality.
>>
>> That's new information I didn't know.
>> So, simply doing a chmod/chown in Linux would be enough to fully
>> reset/remove all Samba (Windows set) ACL's on a file or directory, right?
>
> Yes. We store a hash of the existing mapping from
> Windows ACL -> POSIX ACL i.e. perms also. If you
> change the POSIX ACL or perms outside of smbd the
> hash no longer matches so we can't trust it.
>
I take it that recomputing the hash on filesystem objects when accessed
would create too great of a performance hit?
What might be useful is a command to explicitly reset Windows ACLs based
on the configured POSIX ACLs. The other direction is already handled by
smbd.
I'm in the process of transferring a research lab from an old Samba-3
based VM to a bare metal server running Samba 4. Previously with Samba 3
linux and Windows permissions were tightly coupled and they have been
using local users and groups for everything. I'm trying to switch them
over to Active Directory users and AD security groups.
This means mapping
local users --> AD users
local groups --> Security groups
for every file and directory on the server. They have lots of users and
groups and quite a bit of data, 60TB. Trying to reset permissions from
windows GUI would be basically impossible.
So my plan is to transfer the data to the new server and then run a
script that recurses through the filesystem, changing user and group
ownership. I think the basic unix permissions are respected (sort of),
but this means I can't attempt to use POSIX ACLs to simplify their
permissions setup, because these won't be recognized on Windows, where
they do a lot of their work. Having a command to set Windows ACLs from
POSIX ACLs would be handy in this case.
More information about the samba
mailing list