[Samba] Behavior of acl_xattr:ignore system acls = yes on a share

Peter Milesson miles at atmos.eu
Wed Jan 31 11:51:26 UTC 2024



On 31.01.2024 12:28, Rowland Penny via samba wrote:
> On Wed, 31 Jan 2024 12:19:06 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 31.01.2024 11:48, Rowland Penny via samba wrote:
>>> On Wed, 31 Jan 2024 11:38:31 +0100
>>> Peter Milesson via samba<samba at lists.samba.org>  wrote:
>>>
>>>> On 31.01.2024 10:09, Ralph Boehme via samba wrote:
>>>>> On 1/31/24 09:50, Peter Milesson via samba wrote:
>>>>>> The crucial problem here is, that Everyone (yes, really everyone)
>>>>>> can write to the root share.
>>>>> why don't you just change it? That's how it's supposed to work.
>>>>>
>>>>> -slow
>>>>>
>>>> Hi Ralph,
>>>>
>>>> Unfortunately, that doesn't work. In share permissions,
>>> Sorry, but you should only modify the 'Security' tab, for which a
>>> better name would be 'NTFS permissions'
>>> However, as I have found, you can remove 'EVERYONE' from the
>>> Security tab permissions, but it doesn't remove it from the
>>> permissions set on the actual share directory.
>>>
>>> Rowland
>>>
>>>> it's not
>>>> possible to remove Everyone, nor add another security object.
>>>> Clicking OK, the dialog closes without any errors, but opening it
>>>> again, Everyone is still there. I was sure to start Computer
>>>> Management as Administrator.
>>>>
>>>> If it would be possible to set share permissions, then it would be
>>>> usable.
>>>>
>>>> Best regards,
>>>>
>>>> Peter
>>>>
>>>>
>> Hi Rowland,
>>
>> No, it's not possible to touch anything in the security tab. When
>> clicking OK, I get the message "Failed to enumerate objects in the
>> container. Access denied"
>>
>> Best regards,
>>
>> Peter
> Hi Peter, did you set 'acl_xattr:ignore system acls = yes' in the share
> before you first attempted to change the permissions from Windows, or
> after. I ask this because, from my testing, if you set the line before
> the first permissions change from Windows, you get the error that you
> are now getting.
>
> Rowland
>
>
Hi Rowland,

I have tried both ways.

I created the sub folder and set file permissions and ownership.
Then I set up the share in smb.conf with acl_xattr:ignore system acls = yes
After that, reload smbd and winbind
Then I try to set permissions under the Security tab from Computer 
Management (as Administrator)
In that case, it is not possible to change any entries under the 
security tab, and the Access denied message is displayed after clicking OK.

If I just buy the configuration without changes, I can copy files to the 
share, and set permissions on different files and folders (and 
subfolders and files) to my liking. But with the serious drawback, that 
Everybody can create files in the share root.

If I first setup the share, leaving out acl_xattr:ignore system acls = 
yes, I can set security permissions to what I like, and they are saved. 
Then I activate acl_xattr:ignore system acls = yes and reload the smbd 
and winbind configuration. After that I copy the same files and folders 
to the share as above. But, and it's a very big but, file and folder 
permissions I set on different sub folders are not honored. If I for 
example define a group with Read & execute permissions in the list under 
the security tab for the share, those permissions are later set in stone 
for the whole file tree. I then can not change permissions in sub 
folders. It looks like the permissions are OK, when having a look at the 
properties for the object, but that's a false impression.

Best regards,

Peter




But, and it is a huge but. If I copy files to the





More information about the samba mailing list