[Samba] Remove all Windows ACL's from files/folders

Gregory Sloop gregs at sloop.net
Tue Mar 29 04:49:52 UTC 2022

>> On Mon, Mar 28, 2022 at 09:36:16AM -0700, Gregory Sloop via samba wrote:

>>>> On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:

>>>>> On 3/25/22 17:39, Jeremy Allison wrote:

>>>>>>>> system.NTACL is the extended attribute smbd uses to
>>>>>>>> store the Windows ACL in ndr format.

>>>>>>> I figured this much, but am unsure about the syntax for doing this >>>-- could you provide an example, please?

>>>>>> The syntax for doing what ? smbd stores these values internally.
>>>>>> I think samba-tool can show them.

>>>>> I'm wondering if you mean security.NTACL, as described here:
>>>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End
>>>>> as in:
>>>>>  # getfattr -n security.NTACL -d /srv/samba/Demo/
>>>>> samba-tool does allow you to manage this:
>>>>>  # samba-tool ntacl set acl file [options]
>>>>> but I can't find any examples of how this is used in either the Wiki, >the man page, or the built in help. For example, what are the >[options]? Does this work on directories too? Etc..

>>>> Yes dammit :-). I keep mixing up the confusing namespaces
>>>> on Linux, sorry :-).
>>>> It's used as a "pristine" store of the ACL the client sent.
>>>> If the underlying native (usually POSIX) ACL is changed outside
>>>> of smbd then it is removed as it no longer represents reality.

>>> That's new information I didn't know.
>>> So, simply doing a chmod/chown in Linux would be enough to fully reset/remove all Samba (Windows set) ACL's on a file or directory, right?

>> Yes. We store a hash of the existing mapping from

>>> POSIX ACL i.e. perms also. If you

>> change the POSIX ACL or perms outside of smbd the
>> hash no longer matches so we can't trust it.
> Hmmm...
> I've done this (set posix perms) and the Samba permissions don't get reset.
> (And seemingly some odd stuff on top of this, so I'll try to cover what I've found, though some of the odd behavior is making testing and nailing down exactly which change provokes what behavior has been quite difficult.)
> For example.
> I've got a share...
> "Shared-files"
> Here's the smb.conf def for that share.
> [shared-files]
> comment = shared-files
> path = /abc-zfs-01/ad-shared-folders/shared-files/
> browseable = yes
> writable = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> acl_xattr:ignore system acls = yes
> ---
> I "prep" that shared directory like this:
> ---
> cd /abc-zfs-01/ad-shared-folders/shared-files/
> setfacl --recursive --remove-all  ./
> chown -R root:"AD\Domain Admins" ./
> chmod -R 2775 ./
> ---
> 1) First oddity. If I have "acl_xattr:ignore system acls = yes" removed/commented out then I can't set ANY permissions on that share (from Windows), even logged in as administrator. 
> [R Penney noted something that seemed similar, but it seemed the problem he was talking about was trying to set permissions with someone who was just "Domain Admins" equivalent, but that it worked as Administrator itself. This isn't consistent with what I'm finding. In this case, even Administrator can't do it.]
> If I put it back in (acl_xattr:ignore system acls = yes), then I can edit the default permissions. (again from Windows)
> This really seems like a bug. But I don't know.
> ---
> So, I then wanted to test things again, to see if I'd really done things the way I thought.
> So, I try to "reset" the Windows ACL's by...
> ---
> cd /abc-zfs-01/ad-shared-folders/shared-files/
> setfacl --recursive --remove-all  ./
> chown -R root:"AD\Domain Admins" ./
> chmod -R 2775 ./
> ---
> Then open the Windows file explorer again, and look at the permissions in the "advanced" tab.
> 2) Second oddity; they're set the way I left them last. (Not with the normal default set of permissions*)
> Try a smbd reload, still the same.
> Perhaps there's some Windows client side permissions cache - so logout of Windows and log back in. (And even a reboot.)
> Still the same.
> I guess I'm not more confused or lost than I was before. But since I was completely lost before, I don't consider this a win. :)
> I hope that someone has some suggestions - because none of this works the way I thought I knew and how I've done it before.
> ---
> * - The "default" permissions (when set with the setfacl/chown/chmod like above) appear to be;
> root: full control / this folder only
> domain admins: full control / this folder only
> everyone: read.execute / this and sub folders/files
> creator owner: full control / subfolders,files only
> creator group: read.execute / subfolders,files only
> I should note some basic info.
> Samba 4.15.5, IIRC.
> On Ubuntu 20.04.
> Kerberos and DNS work fine.
> The station I'm making permissions changes from is a domain joined PC, running Windows 10, and logged in as administrator on the domain.

Replying to myself, to update a few additional things I've tried.

I wondered if there were additional interactions or permutations I didn't understand from the setting
acl_xattr:ignore system acls = yes

If I turn off/comment-out that setting, and reload configs (smbcontrol all reload-config or service smbd restart), the "default*" ACL's show up.

*default; as seen in Windows file explorer, security/advanced tab.
root: full control / this folder only
domain admins: full control / this folder only
everyone: read.execute / this and sub folders/files
creator owner: full control / subfolders,files only
creator group: read.execute / subfolders,files only

But if I put it back in, the "old" ACL settings return.

The same happens if I turn it off "ignore system acls" then reset the posix perms, like so;

cd /abc-zfs-01/ad-shared-folders/shared-files/
setfacl --recursive --remove-all  ./
chown -R root:"AD\Domain Admins" ./
chmod -R 2775 ./

Then turn it back on and reload configs again. (The previously set Windows ACL's are back again, not the "default".)

So, either I think I'm doing something horribly wrong, or setting POSIX perms doesn't reset the Windows ACL's.

Perhaps I'll think of some other knob to turn, or switch to flip, but I think I'm really out of ideas now.

Any assistance would be REALLY helpful, because I'm not at all sure I know a really deterministic way to set permissions that I actually understand how it works and can predict with some reasonable certainty how it will work out.

More information about the samba mailing list