[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Peter Milesson
miles at atmos.eu
Tue Jan 30 15:13:41 UTC 2024
Hi folks,
It seems that the setting acl_xattr:ignore system acls = yes reduces
Windows compatibility when defined for a share. In all attempts I have
used Windows tools (except editing smb.conf)
Assume there is a share, where the files and folders in the share root
should at least be readable by anybody having access to the share. For
the sake of simplicity the following permissions apply on the share:
Inheritance disabled
Owner: root (Unix User\root)
Domain Admins: full control (this folder, subfolder and files)
Testgroup: read & execute (this folder, subfolder and files)
System: full control (this folder, subfolder and files)
creator owner: (this folder, subfolder and files)
I want however, to set ownership and access permissions for different
groups to different sub folders. So with acl_xattr:ignore system acls =
yes I create the sub folder Testfolder, set testgroup as owner, and
disabling inheritance. When checking the permissions on the folder with
getfacl I get:
# file: Testfolder
# owner: testgroup
# group: domain\040admins
user::rwx
user:root:rwx
user:domain\040admins:rwx
user:testgroup:r-x
group::r-x
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:testgroup:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:domain\040admins:rwx
default:user:testgroup:r-x
default:group::r-x
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:group:testgroup:r-x
default:mask::rwx
default:other::---
WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and
again setting testgroup as owner, and disabling inheritance. The
resulting getfacl is:
# file: Testfolder2
# owner: testgroup
# group: domain\040admins
user::rwx
user:domain\040admins:rwx
group::rwx
group:NT\040Authority\\system:rwx
group:domain\040admins:rwx
group:testgroup:rwx
mask::rwx
other::---
default:user::rwx
default:user:domain\040admins:rwx
default:user:testgroup:rwx
default:group::---
default:group:NT\040Authority\\system:rwx
default:group:domain\040admins:rwx
default:group:testgroup:rwx
default:mask::rwx
default:other::---
In the first case (with acl_xattr:ignore system acls = yes), I get
access denied when trying to create anything whatsoever as a user
belonging to the testgroup. In the second case, no problem at all to
create files and folders for the user belonging to the testgroup.
According to the documentation acl_xattr:ignore system acls = yes should
increase compatibility with Windows. IMHO, it does the opposite. On my
Windows server I have got no problems at all to define a set of
permissions for the share, and then tweaking sub folders to what I need.
Either I have completely misunderstood the concept, or there is
something not working as it should.
I would be very happy to get some explanations.
Member server Debian Bookworm with Samba from backports (4.19.4)
smb.conf below.
Best regards,
Peter
[global]
security = ADS
server role = member server
realm = PRIVATE.TALPS
workgroup = PRIVATE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
log level = 1
disable spoolss = Yes
printcap name = /dev/null
template homedir = /home/%U
template shell = /bin/bash
timestamp logs = Yes
username map = /etc/samba/user.map
min domain uid = 0
# winbind enum groups = Yes
# winbind enum users = Yes
winbind expand groups = 4
# winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config private : backend = rid
idmap config private : range = 10000-99999
map acl inherit = Yes
inherit acls = yes
apply group policies = yes
vfs objects = acl_xattr
[Migrtest]
path = /data/migrtest
read only = no
acl_xattr:ignore system acls = yes
More information about the samba
mailing list