[Samba] Remove all Windows ACL's from files/folders

Jeremy Allison jra at samba.org
Tue Mar 29 20:39:27 UTC 2022

On Tue, Mar 29, 2022 at 10:40:43AM -0700, Greg Sloop <gregs--- via samba wrote:
>So, check the Samba logs.

The Samba logs are the source of truth, always.

>2022/03/29 10:23:54.736440,  0]
>  chdir_current_service:
>vfs_ChDir(/abc-zfs-01/ad-shared-folders/shared-files) failed: Permission
>denied. Current token: uid=11608, gid=10513, 7 groups: 11608 10513 11129
>3003 3004 3006 3001
># wbinfo -i "ad\gs"
>So the UID in the Samba log matches the user I expect.
>That's good.
>At least the user attempting access matches the user I've set permissions
>Incidentally, the group matches too;
>wbinfo -i "ad\domain users"
>AD\domain users:*:10513:10513::/home/AD/domain users:/bin/false
>So, now lets see what Samba thinks the permissions are on that
>getfattr -n security.NTACL /abc-zfs-01/ad-shared-folders/shared-files/
>samba-tool ntacl get /abc-zfs-01/ad-shared-folders/shared-files/ --as-sddl

Neither of these gets the *actual* permissions on the
folder. Remember, Samba is an ordinary program and
when operating under a given uid/gid-list in order
to vfs_ChDir() into a folder, the system permissions
on that folder must allow the uid/gid-list access.

You're only looking and reporting the Samba stored
permissions here.

What does

getfacl /abc-zfs-01/ad-shared-folders/shared-files

show ?

If you decouple the Samba stored permissions from
the system permissions, then you need to ensure
that the system permissions allow access from the
given uid/gid-list. Easiest way to do that is to
force all folders to be 0777, all files to be 0666.

This is safe if you're only accessing via smbd.

More information about the samba mailing list