[Samba] Behavior of acl_xattr:ignore system acls = yes on a share

Peter Milesson miles at atmos.eu
Wed Jan 31 08:13:38 UTC 2024


Hi folks,

No, it does not work. Sorry for the noise. See below.


On 31.01.2024 8:51, Peter Milesson via samba wrote:
> Hi folks,
>
> Thanks everybody for your information.
>
> I have continued my testing and have got the following to report:
>
> Setting up the share with either root:"Domain Admins", or 
> "Administrator":"Domain Admins" as owner, while setting permissions on 
> the share folder to 0777 from the start, and acl_xattr:ignore system 
> acls = yes on the share definition in smb.conf (I did not forget to 
> restart smbd and winbind)
>
> Then in Windows Computer management/Security I get the following list:
> Owner: (root or Administrator)
>
>    root (or Administrator)    Full Control    This folder only
>    Domain Admins    Read, write & execute    This folder only
>    Everyone    Read, write & execute    This folder only
>    SYSTEM    Full Control    This folder only
>
> Any change I make to the list ends with the error message "Failed to 
> enumerate objects in the container. Access is denied" after clicking OK.
>
> If I first make the basic setup of the share to my liking, without 
> having acl_xattr:ignore system acls = yes active, and then reload smbd 
> with acl_xattr:ignore system acls = yes, it seems to work.
>
> It does not seem important whether the linux permissions on the share 
> folder are 0770 or 0777, or linux owner on the share folder being root 
> or Administrator when setting it up. I have not investigated if the 
> folder permissions are important for the share later on.
>
> Best regards,
>
> Peter
>
>
Permissions set under Windows are not honored completely. As a user with 
administrative privileges, I set a sub folder in the share to full 
control for a group (even tried to change ownership). Then logging in to 
Windows as a user belonging to that group, opening the share, and trying 
to add something in that sub folder. It results in access denied.

I will continue to dig into this. Something is not working, or not 
working according to documentation with ignore system acls = yes.

Best regards,

Peter






More information about the samba mailing list