[Samba] Samba share not quite working on Domain Controller

Rowland Penny rpenny at samba.org
Thu Dec 21 08:37:16 UTC 2023


On Wed, 20 Dec 2023 18:04:08 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:


> 
> At the risk of continuing to beat this long-dead horse. Why would I
> want to use "extended ACL"? What do they buy me over "Unix Standard
> acls"? You're comment below parenthesises "(ugo)" which I take to
> mean the user-group-other rwx settings on plain vanilla Unix. The
> "extended ACLs", I presume, are designated by the '+', viewable with
> getfacl, as in:
> 
> drwxrwx---+  6 BUILTIN\administrators users 4096 2019-11-12 18:11
> Administrator ^
> 
> So, in you opinion, is there any reason I would need these on a Linux
> domain member? If not, I'd rather not mess with something
> unnecessary/extra. If my linux member hosts a Samba share for Windows
> users to map, would that necessitate using the extended ACLs?

If you have Windows clients connecting to a Samba share, then, in my
opinion, you require EAs (Extended ACLs), which, as you pointed out,
are shown by the '+' sign at the end of the Linux permissions. There
are are however three levels of permissions at play here:
The standard Linux permissions
The Extended ACL as shown by getfacl
The permissions that are set from Windows and can be shown by various
tools, including samba-tool e.g.
 adminuser at rpidc1:~ $ sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

> 
> I know I can set extended ACLs for my own unix purposes to give
> special permissions to certain users. I'm asking here if there is a
> need/benefit with respect to a Domain Member, or samba share
> specifically. If not, I'll forget about it.

For best results, you need Extended ACLs and even better, set them from
Windows.

Rowland






More information about the samba mailing list