[Samba] Windows ACLs

Bailey Allison ballison at 45drives.com
Tue Oct 4 00:03:29 UTC 2022

>On 10/3/22 12:31, Rowland Penny via samba wrote:
> On 03/10/2022 20:17, Peter Carlson via samba wrote:
>> On 10/3/22 11:11, Rowland Penny via samba wrote:
>>> Remember what I said about 'acl_xattr:ignore system acls = yes', 
>>> well I think this could be the problem, a bit of a chicken and egg 
>>> problem. Until you set the permissions from Windows, it is likely 
>>> that there are no Windows permissions and because you have set the 
>>> above line, you cannot get permission to set them. So try removing 
>>> the 'acl_xattr:ignore system acls = yes' line and try again.
>>> Rowland
>> This did the trick to get permissions set on the share. It is set for 
>> Domain Admins and Domain Users as Full Control.   I can now connect 
>> to the server as a domain admin and domain user and create a folder 
>> and text file in each folder.  So that's awesome.  Couple of things I 
>> noted which are still outstanding:
>> 1.  new folders are created with Read only set, whether created by 
>> member of domain admin or domain user.  I would normally use 
>> directory mask and create mask to control this, but since this is all 
>> now controlled with windows ACLs, I'm not sure how to set a default 
>> mask (or the default group for that matter, peter is a member of 
>> Linux Admins, Domain Admins and Domain Users)
> Glad you got the permissions set, I will update the wiki.
> Without that line, you will now have three sets of permissions in play:
> A) the standard Linux ugo permissions that 'ls' can show
> B) the extended acls that 'getfacl' will show
> C) the permissions that you have set from Windows and are stored in an 
> EA
> Linux will use A & B, Windows will use C if set and if set (without 
> the 'acl_xattr' line), then the Windows permissions will effect the 
> extended acls, if not set, then A & B will be ignored. You can find 
> more about this in 'man vfs_acl_xattr'
> Rowland
>Beer Fund: 🍺 and growing, but honestly I have to admit this is pretty deep ... been using and admin'ing *nix since 1989 and I feel like I'm doing the doggy paddle here.
>So I  created a 2 new folders as admin and user. Windows sets a newly created folder as Read-Only, but both admins and users can write into both folders

Just out of curiosity where would you be seeing this read only? 

Just at looking at both the Linux permissions and your screenshot of the Windows ACLs it appears there isn't anything set to read only besides the Creator Group option, as every other user or group is set to Full Control through the entire share which makes sense as that's what you're describing it's working as, I am just not certain where it appears to be set as read only.

Apologies if I've missed it earlier but are you able to give a quick description of how exactly you are looking to have the permissions setup on the share?

I would say that once you've got the Windows ACLs setup/configured, there is also not too much value in checking the permissions on the Linux side, and especially modifying them on the Linux side. You will pretty much be living within the Security Tab on Windows to configure permissions (The one in the screenshot you've provided). The good thing in all of this is, you've pretty much gotten over the hurdle of getting the Windows ACLs setup and configured properly!

>after reading that man page and looking at the defaults (directory mask 0777), I see that
>a) ls shows 777
 >        drwxrwxrwx+ 2 SDCP\peter  SDCP\domain admins 4096 Oct  3 19:41
>b)  getfacl shows the domain groups with rwx (except default group which I'm confused about):
>        root at filesvr2:/data# getfacl test/*
>         # file: test/test3
>         # owner: SDCP\\office
>         # group: SDCP\\domain\040users
>         user::rwx
>         user:root:rwx
>         user:SDCP\\domain\040users:rwx
>         user:SDCP\\linux\040admins:rwx
>         group::rwx
>         group:SDCP\\domain\040users:rwx
>         group:SDCP\\office:rwx
>         group:SDCP\\linux\040admins:rwx
>         mask::rwx
>         other::rwx
>         default:user::rwx
>         default:user:root:rwx
>         default:user:SDCP\\domain\040users:rwx
>         default:user:SDCP\\office:rwx
>         default:user:SDCP\\linux\040admins:rwx
>         default:group::r-x
>         default:group:SDCP\\domain\040users:rwx
>         default:group:SDCP\\linux\040admins:rwx
>         default:mask::rwx
>         default:other::rwx
>c) DOSATTRIB is getting set, but not sure if there is a friendly way to show it
>         root at filesvr2:/data# getfattr -n user.DOSATTRIB -d test/*
>         # file: test/test3
>Windows GUI only shows Domain Users once (https://snipboard.io/aliKP2.jpg), but Get-Acl lists domain users twice, once with ReadAndExecute and another with FullControl

This is possibly because domain users could have permissions from being set as Full Control, as well as creator group being set with Read and Execute. Creator Group uses the primary group of the user which is typically set to Domain Users within a Windows setup. In this case you then are getting Domain Users as Full Control, as well as Domain Users getting Read and Execute from Creator Group.

>     PS C:\Users\peter.SDCP> Get-Acl \\filesvr2\Test\user | Format-Table -Wrap
>        Directory: \\filesvr2\Test
>Path Owner Access
>---- ----- ------
>user SDCP\office Unix User\root Allow  FullControl SDCP\office Allow  FullControl CREATOR OWNER Allow  FullControl SDCP\Domain Users Allow  ReadAndExecute, Synchronize CREATOR GROUP Allow  ReadAndExecute, Synchronize Everyone Allow  FullControl SDCP\Linux Admins Allow  FullControl SDCP\Domain >Users Allow  FullControl

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list