[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Peter Milesson
miles at atmos.eu
Wed Jan 31 11:51:26 UTC 2024
On 31.01.2024 12:28, Rowland Penny via samba wrote:
> On Wed, 31 Jan 2024 12:19:06 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 31.01.2024 11:48, Rowland Penny via samba wrote:
>>> On Wed, 31 Jan 2024 11:38:31 +0100
>>> Peter Milesson via samba<samba at lists.samba.org> wrote:
>>>
>>>> On 31.01.2024 10:09, Ralph Boehme via samba wrote:
>>>>> On 1/31/24 09:50, Peter Milesson via samba wrote:
>>>>>> The crucial problem here is, that Everyone (yes, really everyone)
>>>>>> can write to the root share.
>>>>> why don't you just change it? That's how it's supposed to work.
>>>>>
>>>>> -slow
>>>>>
>>>> Hi Ralph,
>>>>
>>>> Unfortunately, that doesn't work. In share permissions,
>>> Sorry, but you should only modify the 'Security' tab, for which a
>>> better name would be 'NTFS permissions'
>>> However, as I have found, you can remove 'EVERYONE' from the
>>> Security tab permissions, but it doesn't remove it from the
>>> permissions set on the actual share directory.
>>>
>>> Rowland
>>>
>>>> it's not
>>>> possible to remove Everyone, nor add another security object.
>>>> Clicking OK, the dialog closes without any errors, but opening it
>>>> again, Everyone is still there. I was sure to start Computer
>>>> Management as Administrator.
>>>>
>>>> If it would be possible to set share permissions, then it would be
>>>> usable.
>>>>
>>>> Best regards,
>>>>
>>>> Peter
>>>>
>>>>
>> Hi Rowland,
>>
>> No, it's not possible to touch anything in the security tab. When
>> clicking OK, I get the message "Failed to enumerate objects in the
>> container. Access denied"
>>
>> Best regards,
>>
>> Peter
> Hi Peter, did you set 'acl_xattr:ignore system acls = yes' in the share
> before you first attempted to change the permissions from Windows, or
> after. I ask this because, from my testing, if you set the line before
> the first permissions change from Windows, you get the error that you
> are now getting.
>
> Rowland
>
>
Hi Rowland,
I have tried both ways.
I created the sub folder and set file permissions and ownership.
Then I set up the share in smb.conf with acl_xattr:ignore system acls = yes
After that, reload smbd and winbind
Then I try to set permissions under the Security tab from Computer
Management (as Administrator)
In that case, it is not possible to change any entries under the
security tab, and the Access denied message is displayed after clicking OK.
If I just buy the configuration without changes, I can copy files to the
share, and set permissions on different files and folders (and
subfolders and files) to my liking. But with the serious drawback, that
Everybody can create files in the share root.
If I first setup the share, leaving out acl_xattr:ignore system acls =
yes, I can set security permissions to what I like, and they are saved.
Then I activate acl_xattr:ignore system acls = yes and reload the smbd
and winbind configuration. After that I copy the same files and folders
to the share as above. But, and it's a very big but, file and folder
permissions I set on different sub folders are not honored. If I for
example define a group with Read & execute permissions in the list under
the security tab for the share, those permissions are later set in stone
for the whole file tree. I then can not change permissions in sub
folders. It looks like the permissions are OK, when having a look at the
properties for the object, but that's a false impression.
Best regards,
Peter
But, and it is a huge but. If I copy files to the
More information about the samba
mailing list