[Samba] access "claim types"

Rowland Penny rpenny at samba.org
Fri Feb 10 09:01:53 UTC 2023



On 10/02/2023 08:38, Stefan G. Weichinger via samba wrote:
> Am 10.02.23 um 09:10 schrieb Rowland Penny via samba:
> 
>>> idmap config * : range = 3000-7999
>>> idmap config * : backend = tdb
>>> idmap config NORAS : range = 10000-20000
>>> idmap config NORAS : backend = rid
>>
>> Is this bad sanitisation ?
>> your workgroup is 'COMP' and the idmap config lines are using 'NORAS', 
>> they should be the same.
>>
>> If that isn't it, try looking at dns, with things like this, it is 
>> usually dns.
> 
> no that was just me trying to anonymize things and failing ...

Thought so LOL

> 
> think
> 
> idmap config COMP : range = 10000-20000
> idmap config COMP : backend = rid
> 
> -
> 
> Tested on a test share now.
> 
> That yellow warning still comes, but this "claim types" thing seems only 
> to relate to some conditions
> 
> I googled this image as reference:
> 
> https://download.huawei.com/mdl/image/download?uuid=8e4e181d5bcd4626ac44ffe959904264
> 
> I was able to add a principal and edit its permission on the testshare.
> 
> The yellow warning is there on shares belonging to root or Administrator 
> (wrong)

Problem is, Administrator shouldn't own anything on Unix.

> 
> -
> 
> Reading 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
> again, sure.
> 
> I don't have "acl_xattr:ignore system acls = yes" ... changing that 
> sounds dangerous, especially while there are dozens of active users on 
> the server right now.
> 
> 

That does exactly what it says, the normal 'ugo' Unix permissions will 
be ignored and only permissions set from Windows (and stored in an EA) 
will be used by Samba.

Rowland



More information about the samba mailing list