[Samba] windows acls
Peter Carlson
peter at howudodat.com
Tue Mar 28 19:04:11 UTC 2023
On 3/28/23 11:57, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 19:47, Peter Carlson via samba wrote:
>>
>> On 3/28/23 11:22, Rowland Penny via samba wrote:
>>>
>>>
>>> On 28/03/2023 18:43, Peter Carlson via samba wrote:
>>>> bumping the log to 5, there are a few more lines right before
>>>> NT_STATUS_ACCESS_DENIED, could the EA error be a clue?
>>>
>>> I do not think so, that is what you are trying to create/set from
>>> Windows.
>>>
>>>>
>>>> [2023/03/28 10:37:19.643508, 5]
>>>> ../../source3/smbd/vfs.c:1334(check_reduced_name)
>>>> check_reduced_name: . reduced to /data/test
>>>> [2023/03/28 10:37:19.643539, 5]
>>>> ../../source3/smbd/dosmode.c:177(unix_mode)
>>>> unix_mode: unix_mode(.) returning 0666
>>>> [2023/03/28 10:37:19.643605, 5]
>>>> ../../source3/smbd/dosmode.c:396(fget_ea_dos_attribute)
>>>> fget_ea_dos_attribute: Cannot get attribute from EA on file .:
>>>> Error = No data available
>>>> [2023/03/28 10:37:19.643652, 4]
>>>> ../../source3/smbd/open.c:3808(open_file_ntcreate)
>>>> calling open_file with flags=0x0 flags2=0x800 mode=0666,
>>>> access_mask = 0x20080, open_access_mask = 0x20080
>>>> [2023/03/28 10:37:19.643680, 5]
>>>> ../../source3/smbd/open.c:4427(open_directory)
>>>> open_directory: opening directory ., access_mask = 0x20080,
>>>> share_access = 0x7 create_options = 0x200000, create_disposition =
>>>> 0x1, file_attributes = 0x10
>>>
>>> I am running out of ideas, is a firewall blocking something ?
>>> Have you tried logging into Windows as Administrator ?
>>>
>>> Rowland
>>>
>>>
>> ok, I got something to work and found some differences. I added a
>> new share, created a new folder and set the ACLs. it works!
>>
>> smb.conf is the same:
>>
>> [Peter]
>> path = /data/peter
>> comment = test
>> read only = no
>>
>> [Test]
>> path = /data/test
>> comment = test
>> read only = no
>>
>> file directory shows a slight difference:
>>
>> root at filesvr:/var/log/samba# ls -l /data
>> drwxrwx--- 2 root SDCP\domain admins 4096 Mar 28 11:11 peter
>> drwxrwx---+ 4 root SDCP\domain admins 4096 Oct 3 08:45 test
>>
>> do you happen to know what the + is at the end of the permissions? I
>> can't find that in the docs.
>
>
> It shows that posix acls are set (the ones shown by getfacl), if you
> want to see the ACL's set from Windows, in a readable way, try:
>
> samba-tool ntacl get /data/test --as-sddl
>
> Rowland
>
could it be the posix acls are interfering somehow? here are the
windows acls
root at filesvr:/var/log/samba# samba-tool ntacl get /data/test --as-sddl
O:S-1-22-1-0G:S-1-5-21-185628584-2620904409-2800336372-512D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-512)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-513)
root at filesvr:/var/log/samba# samba-tool ntacl get /data/peter --as-sddl
O:S-1-22-1-0G:DAD:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)
Is this worth troubleshooting more, or should I just create new shares
and move the data over?
What I need is :
all of our shares fall into 1 of 3 categories:
1) Admins Only...lets call it \\filesvr\admin
we want any domain admin to be able to create folders as needed
2) Everyone
we want any domain user to be able to full control
3) read-only
we want any domain admin to be able to create/write
we want any domain user to be able to read
There's some variation on this, but with these 3 I can get the rest
I read somewhere that inheritance should be disabled. But shouldn't I
be able to go to \\filesvr\read-only and set:
domain admins: full control, this folder subfolders and files
domain users: read, this folder subfolders and files
then go back into smb.conf and enable acl_xattr:ignore system acls = yes
More information about the samba
mailing list