[Samba] Windows ACLs

Rowland Penny rpenny at samba.org
Fri Sep 23 14:01:57 UTC 2022 


On 23/09/2022 02:26, Sonic via samba wrote:
> On Thu, Sep 22, 2022 at 7:01 PM Bailey Allison <ballison at 45drives.com> wrote:
>> When mapping the share in Windows and checking the properties of the share,
>> does your Domain Admins account appear within the permissions list? If so,
>> does it list it as being Full Control or Read and Execute?
> 
> The Domain Admins account appears in the list but it has no ACL rights
> as shown on the security tab. None of the listed accounts has any
> rights (Everyone, root, CREATOR OWNER, CREATOR GROUP, Domain Admins).
> All accounts do show a checkmark of Allow for Special Permissions.
> All attempts to edit the rights returns "Access is denied".
> The above is the same regardless of the owner of the shared directory
> or whether or not the line acl_xattr:ignore system acls = true is in
> the share.
> 
> Reading through the smb.conf man page I ran across this:
> ==========================
>         map acl inherit (S)
> 
>             This boolean parameter controls whether smbd(8) will
> attempt to map the 'inherit' and 'protected' access
>             control entry flags stored in Windows ACLs into an extended
> attribute called user.SAMBA_PAI (POSIX ACL
>             Inheritance). This parameter requires supports for extended
> attributes on the filesystem and allows the
>             Windows ACL editor to store inheritance information while
> NT ACLs are mapped best-effort to the POSIX ACLs.
> ==========================
> Should there be an actual file with this name as I cannot find any
> file named user.SAMBA_PAI (even replacing 'user' with wildcard).
> 
> Chris
> 

OK, I have set up a new Unix domain member using the 'rid' idmap 
backend. I added a couple of shares, one with 'acl_xattr:ignore system 
acls = yes', the other without. I followed the wiki and everything 
worked as expected. The share without the 'acl_xattr' line shows the 
permissions set from Windows (when viewed with getfacl), the other doesn't.

Now we know that it still works (if set up correctly), we now need to 
find out the differences between your computer and mine.
So, can you go here:
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh

Download the script and post the output here.

Rowland

More information about the samba mailing list