[Samba] Remove all Windows ACL's from files/folders

Tue Mar 29 20:49:55 UTC 2022

But, you just said that if I'm using "acl_xattr:ignore system acls = yes"
it ignores system/posix permissions, right?

(And that's what the docs appear to show - that it will force the directory
mask to 0777 and the create mask to 0666.)
https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html

But in any case, here's the output of getfacl.
getfacl: Removing leading '/' from absolute path names
# file: abc-zfs-01/ad-shared-folders/shared-files
# owner: root
# group: AD\\domain\040admins
# flags: -s-
user::rwx
group::rwx
other::r-x

r-x for "Other" should let the user "ad\gs" at least enter/view the
directory/share, right?
Which doesn't work.

On Tue, Mar 29, 2022 at 1:40 PM Jeremy Allison <jra at samba.org> wrote:

> On Tue, Mar 29, 2022 at 10:40:43AM -0700, Greg Sloop <gregs--- via samba
> wrote:
> >
> >So, check the Samba logs.
>
> The Samba logs are the source of truth, always.
>
> >2022/03/29 10:23:54.736440,  0]
> >../../source3/smbd/service.c:168(chdir_current_service)
> >  chdir_current_service:
> >vfs_ChDir(/abc-zfs-01/ad-shared-folders/shared-files) failed: Permission
> >denied. Current token: uid=11608, gid=10513, 7 groups: 11608 10513 11129
> >3003 3004 3006 3001
> >---
> ># wbinfo -i "ad\gs"
> >AD\gs:*:11608:10513:gs:/home/AD/gs:/bin/false
> >---
> >
> >So the UID in the Samba log matches the user I expect.
> >That's good.
> >At least the user attempting access matches the user I've set permissions
> >for,
> >
> >---
> >Incidentally, the group matches too;
> >wbinfo -i "ad\domain users"
> >AD\domain users:*:10513:10513::/home/AD/domain users:/bin/false
> >---
> >
> >So, now lets see what Samba thinks the permissions are on that
> >share/directory.
> >
> >---
> >getfattr -n security.NTACL /abc-zfs-01/ad-shared-folders/shared-files/
> >samba-tool ntacl get /abc-zfs-01/ad-shared-folders/shared-files/ --as-sddl
>
> Neither of these gets the *actual* permissions on the
> folder. Remember, Samba is an ordinary program and
> when operating under a given uid/gid-list in order
> to vfs_ChDir() into a folder, the system permissions
> on that folder must allow the uid/gid-list access.
>
> You're only looking and reporting the Samba stored
> permissions here.
>
> What does
>
> getfacl /abc-zfs-01/ad-shared-folders/shared-files
>
> show ?
>
> If you decouple the Samba stored permissions from
> the system permissions, then you need to ensure
> that the system permissions allow access from the
> given uid/gid-list. Easiest way to do that is to
> force all folders to be 0777, all files to be 0666.
>
> This is safe if you're only accessing via smbd.
>