[Samba] SaMBa 4.16.4 adds users to ACLs as groups

Tamás Németh nt1277 at gmail.com
Fri Jun 16 15:20:26 UTC 2023


Dear Rowland,

I'm trying to write a single email answering all the question of your
recent emails:


> Hi Tamas, I have been reviewing you numerous posts on this list about
> this project, are you aware that you have been posting for 6 months ?

Well, not exactly :-) Only 5 months and 5 days :-) However, this specific
thread is only 9 days old. I had a few mails in january, february, etc.,
where I asked for help with the migration of an ancient server. Thank you
for your help with those questions, the migration was successful apart from
the mentioned "piling up" of POSIX ACLs, which I discovered 9 days ago.



> [quote]
> this "piling up" of ACL information doesn't happen either on a native
> Windows file server or with vfs_acl_xattr
> [/quote]
> Does this mean you do not have 'vfs objects = acl_xattr' in your smb.conf
?

Yes, it means that. I don't have vfs_acl_xattr enabled on our infamous
production server, however, I conducted some experiments on a server cloned
from it, where I enabled either vfs_acl_xattr or vfs_acl_tdb. I noticed
that SaMBa behaves differently in all three scenarios (1. no VFS backend,
2. acl_xattr, 3. acl_tdb). This mail contains the details:
https://lists.samba.org/archive/samba/2023-June/245479.html Of the three
scenarios, vfs_acl_xattr (plus its option "ignore system acls = yes") seems
to be achieving the best results, permissions identical to that of native
Windows.




> [quote]
> this may be the reason why using POSIX ACLs with SaMBa is deprecated
> [/quote]
> As far as I am aware, using POSIX ACLs isn't deprecated, is it possible
> you can tell us where you found that information ?

OK, I probably misinterpreted or exaggerated two sentence from here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
The sentences are: "You are advised that a better option than POSIX draft
ACLs is to use Windows ACLs, this will allow you to set up fine-granular
ACLs." and "Linux however, ... here only deprecated POSIX draft ACLs exist."




> It might also be a good idea if we could see your present smb.conf, so
> please post the output of 'testparm -s' (sanitised if must).

OK, here is my smb.conf with most of the (very numerous) shares removed:
https://pastebin.com/xWASKir4



> Now you can, with 'setfacl' add default permissions, are these what you
> are referring to as 'Posix ACLs' ?

When using the phrase "default (POSIX) ACLs" in the mail
https://lists.samba.org/archive/samba/2023-June/245540.html I was referring
to the default ACLs created with the --default option of setfacl.



> is Samba causing the problem, or to put it
> another way, if the share was on a Windows machine, would the ACL's get
> created differently ?

Well, SaMBa with "vfs objects = acl_xattr" + "acl_xattr:ignore system acls
= yes" seems to create identical ACLs to those created by Windows, but when
relying on solely POSIX ACLs (running SaMBa on Linux / ext4), the ACLs
differ from the Windows ones quite a bit. I'm well aware that NFS4 ACLs
cannot converted to POSIX ACLs without a loss, but even despite this, I
wouldn't expect two phenomenons to occur to MS Word files edited by
multiple users on a SaMBa server using the configuration from the pastebin
link above. The two phenomenons (not happening on Windows or SaMBa +
"acl_xattr:ignore system acls = yes") are the following:

1. Piling up of UIDs of users who ever edited a DOCX file in the said
file's POSIX ACL. This doesn't happen on Windows. Only the owner changes
there when saving an Office document.
2. UIDs and GIDs added to POSIX ACLs as both users and groups without
distinction.


Thank you for your efforts,

Tamás


More information about the samba mailing list