[Samba] windows acls

Peter Carlson peter at howudodat.com
Tue Mar 28 20:33:13 UTC 2023


On 3/28/23 13:05, Rowland Penny via samba wrote:
>
>
> On 28/03/2023 20:04, Peter Carlson via samba wrote:
>
>
>> could it be the posix acls are interfering somehow?  here are the 
>> windows acls
>>
>> root at filesvr:/var/log/samba# samba-tool ntacl get /data/test --as-sddl
>> O:S-1-22-1-0G:S-1-5-21-185628584-2620904409-2800336372-512D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-512)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;S-1-5-21-185628584-2620904409-2800336372-513) 
>>
>>
>> root at filesvr:/var/log/samba# samba-tool ntacl get /data/peter --as-sddl
>> O:S-1-22-1-0G:DAD:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG) 
>>
>>
>
> I am not sure what is going on here, but I did notice that you had 
> 'acl_xattr:ignore system acls = yes' set on 'test', but commented out, 
> was it ever set and used ?
>
> if you break the ACEs down, you will find that Domain Admins is 
> 'S-1-5-21-185628584-2620904409-2800336372-512' in one and just 'DA' in 
> the other and I have no real idea why.
> I have done some testing in the past and found that how 
> 'acl_xattr:ignore system acls = yes' works depends on if there is a 
> user.map set and just who changes the permissions on Windows, 
> Administrator or a member of Domain Admins.
>
>> Is this worth troubleshooting more, or should I just create new 
>> shares and move the data over?
>
> It might just be easier to create a new share.
>
>>
>>
>>
>> What I need is :
>>
>> all of our shares fall into 1 of 3 categories:
>> 1) Admins Only...lets call it \\filesvr\admin
>>      we want any domain admin to be able to create folders as needed
>> 2) Everyone
>>      we want any domain user to be able to full control
>> 3) read-only
>>      we want any domain admin to be able to create/write
>>      we want any domain user to be able to read
>> There's some variation on this, but with these 3 I can get the rest
>>
>> I read somewhere that inheritance should be disabled.  But shouldn't 
>> I be able to go to \\filesvr\read-only and set:
>>      domain admins: full control, this folder subfolders and files
>>      domain users: read, this folder subfolders and files
>
> You should be able to do all that from Windows.
>
>>
>> then go back into smb.conf and enable acl_xattr:ignore system acls = yes
>
> I am not sure setting that line is a good idea, just set the 
> permissions from Windows and never change them on the Unix side.
>
> Rowland
>
root at filesvr:/data# mkdir Accounting2
root at filesvr:/data# chmod 0770 Accounting2
root at filesvr:/data# chown root:"SDCP\\domain admins" Accounting2
root at filesvr:/data# smbcontrol all reload-config

on Windows, Computer Management, connect to remote server, System 
Tools->Shared Folders->Shares
Accounting2:Share Permissions has Everyone, Full Control, Change and 
Read, nothing else
Accounting2:Security has:
     root:         Full Control:     This folder only
     Domain Admins:    Full control:    This folder only
     Everyone:    None:        This folder only
     CREATOR OWNER:    Full control:     Subfolder and files only
     CREATOR GROUP:    Read & Execute:    Subfolder and files only
     Everyone:    Read & Execute: Subfolder and files only

1) That's how it was all set by default, is there anything there that I 
should change?

2) To add DOMAIN\Accounting to be able to have full control to this 
share and all subfolder, do I:
     a) add that here in Computer Management
     b) open windows explorer go to \\filesvr\Accouting2 and add it there?
     c) neither, create a folder and set the permissions there


More information about the samba mailing list