[Samba] Remove all Windows ACL's from files/folders

Gregory Sloop gregs at sloop.net
Wed Mar 30 04:50:34 UTC 2022

Top posting...
I tweaked the POSIX perms to rwx.rwx.rwx before I saw this message (along with a few other things) and suddenly the Windows ACL's started applying properly.
And it was more than just simply allowing the user in - it was doing multiple things differently.
(But I wasn't as methodical about exactly changed, as I could have been, so I'm not sure it was the POSIX change that did it. I was setting up another test case and it was having the same general symptoms - Windows ACL's not being applied correctly.)
So, I have a few additional tests to run to verify that things are working as they should now.
Since I need to get the production server up and running, I'm just going to not look the gift horse in the mouth right now and take what's working.
Then, when I have a little more breathing room, I'll go back and setup some test cases again, on a test share and see if I can provoke the same behavior and tease out what was causing it.
So, I'll probably just start a new thread once I reach that point.
Thanks for the pointers everyone. I wish I knew what caused it to flip.

> On Tue, Mar 29, 2022 at 01:49:55PM -0700, Greg Sloop <gregs at sloop.net> wrote:

>> But, you just said that if I'm using "acl_xattr:ignore system acls = yes"
>> it ignores system/posix permissions, right?

> Samba is a Linux process. Unless it permanently runs as root
> (which you don't want) then it *can't* ignore system permissions.
> When impersonating the client uid/gid-list, that id token must
> be allowed file system permissions on the target directory/files.

>> (And that's what the docs appear to show - that it will force the directory
>> mask to 0777 and the create mask to 0666.)
>> https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html

> create mask = 0666
> directory mask = 0777

> are *masks* applied to the permissions. To force permissions
> to be set, you need:

> force create mode
> force directory mode

> To have Samba always create with directory = 0777,
> file = 0666 then use:

> force directory mode = 0777
> force create mode = 0666

>> But in any case, here's the output of getfacl.
>> getfacl: Removing leading '/' from absolute path names
>> # file: abc-zfs-01/ad-shared-folders/shared-files
>> # owner: root
>> # group: AD\\domain\040admins
>> # flags: -s-
>> user::rwx
>> group::rwx
>> other::r-x

>> r-x for "Other" should let the user "ad\gs" at least enter/view the
>> directory/share, right?
>> Which doesn't work.

> Yes, to chdir into a directory, r-x should be enough.

> If it isn't working, ensure it's accessible by doing:

> sudo -u "ad\gs" -g <group you expect" bash

> and then cd into abc-zfs-01/ad-shared-folders/shared-files.

> See if it works.

Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x121
EMail: gregs at sloop.net

More information about the samba mailing list