[Samba] windows acls

Rowland Penny rpenny at samba.org
Tue Mar 28 20:05:51 UTC 2023

On 28/03/2023 20:04, Peter Carlson via samba wrote:

> could it be the posix acls are interfering somehow?  here are the 
> windows acls
> root at filesvr:/var/log/samba# samba-tool ntacl get /data/test --as-sddl
> O:S-1-22-1-0G:S-1-5-21-185628584-2620904409-2800336372-512D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-512)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-513)
> root at filesvr:/var/log/samba# samba-tool ntacl get /data/peter --as-sddl
> O:S-1-22-1-0G:DAD:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)

I am not sure what is going on here, but I did notice that you had 
'acl_xattr:ignore system acls = yes' set on 'test', but commented out, 
was it ever set and used ?

if you break the ACEs down, you will find that Domain Admins is 
'S-1-5-21-185628584-2620904409-2800336372-512' in one and just 'DA' in 
the other and I have no real idea why.
I have done some testing in the past and found that how 
'acl_xattr:ignore system acls = yes' works depends on if there is a 
user.map set and just who changes the permissions on Windows, 
Administrator or a member of Domain Admins.

> Is this worth troubleshooting more, or should I just create new shares 
> and move the data over?

It might just be easier to create a new share.

> What I need is :
> all of our shares fall into 1 of 3 categories:
> 1) Admins Only...lets call it \\filesvr\admin
>      we want any domain admin to be able to create folders as needed
> 2) Everyone
>      we want any domain user to be able to full control
> 3) read-only
>      we want any domain admin to be able to create/write
>      we want any domain user to be able to read
> There's some variation on this, but with these 3 I can get the rest
> I read somewhere that inheritance should be disabled.  But shouldn't I 
> be able to go to \\filesvr\read-only and set:
>      domain admins: full control, this folder subfolders and files
>      domain users: read, this folder subfolders and files

You should be able to do all that from Windows.

> then go back into smb.conf and enable acl_xattr:ignore system acls = yes

I am not sure setting that line is a good idea, just set the permissions 
from Windows and never change them on the Unix side.


More information about the samba mailing list