[Samba] windows acls
Rowland Penny
rpenny at samba.org
Tue Mar 28 20:05:51 UTC 2023
On 28/03/2023 20:04, Peter Carlson via samba wrote:
> could it be the posix acls are interfering somehow? here are the
> windows acls
>
> root at filesvr:/var/log/samba# samba-tool ntacl get /data/test --as-sddl
> O:S-1-22-1-0G:S-1-5-21-185628584-2620904409-2800336372-512D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-512)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-513)
>
> root at filesvr:/var/log/samba# samba-tool ntacl get /data/peter --as-sddl
> O:S-1-22-1-0G:DAD:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)
>
I am not sure what is going on here, but I did notice that you had
'acl_xattr:ignore system acls = yes' set on 'test', but commented out,
was it ever set and used ?
if you break the ACEs down, you will find that Domain Admins is
'S-1-5-21-185628584-2620904409-2800336372-512' in one and just 'DA' in
the other and I have no real idea why.
I have done some testing in the past and found that how
'acl_xattr:ignore system acls = yes' works depends on if there is a
user.map set and just who changes the permissions on Windows,
Administrator or a member of Domain Admins.
> Is this worth troubleshooting more, or should I just create new shares
> and move the data over?
It might just be easier to create a new share.
>
>
>
> What I need is :
>
> all of our shares fall into 1 of 3 categories:
> 1) Admins Only...lets call it \\filesvr\admin
> we want any domain admin to be able to create folders as needed
> 2) Everyone
> we want any domain user to be able to full control
> 3) read-only
> we want any domain admin to be able to create/write
> we want any domain user to be able to read
> There's some variation on this, but with these 3 I can get the rest
>
> I read somewhere that inheritance should be disabled. But shouldn't I
> be able to go to \\filesvr\read-only and set:
> domain admins: full control, this folder subfolders and files
> domain users: read, this folder subfolders and files
You should be able to do all that from Windows.
>
> then go back into smb.conf and enable acl_xattr:ignore system acls = yes
I am not sure setting that line is a good idea, just set the permissions
from Windows and never change them on the Unix side.
Rowland
More information about the samba
mailing list