[Samba] Behavior of acl_xattr:ignore system acls = yes on a share

Sebastian Neustein sebastian.neustein at arc-aachen.de
Wed Jan 31 12:25:30 UTC 2024


Does you filesystem support extended attributes? What does "|getfattr -n
security.NTACL |filename" return?||

On 30.01.2024 16:13, Peter Milesson wrote:
> Hi folks,
>
> It seems that the setting acl_xattr:ignore system acls = yes reduces
> Windows compatibility when defined for a share. In all attempts I have
> used Windows tools (except editing smb.conf)
>
> Assume there is a share, where the files and folders in the share root
> should at least be readable by anybody having access to the share. For
> the sake of simplicity the following permissions apply on the share:
>
> Inheritance disabled
> Owner: root (Unix User\root)
> Domain Admins: full control (this folder, subfolder and files)
> Testgroup: read & execute (this folder, subfolder and files)
> System: full control (this folder, subfolder and files)
> creator owner: (this folder, subfolder and files)
>
> I want however, to set ownership and access permissions for different
> groups to different sub folders. So with acl_xattr:ignore system acls
> = yes I create the sub folder Testfolder, set testgroup as owner, and
> disabling inheritance. When checking the permissions on the folder
> with getfacl I get:
>
> # file: Testfolder
> # owner: testgroup
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> user:testgroup:r-x
> group::r-x
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:testgroup:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:domain\040admins:rwx
> default:user:testgroup:r-x
> default:group::r-x
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:group:testgroup:r-x
> default:mask::rwx
> default:other::---
>
> WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and
> again setting testgroup as owner, and disabling inheritance. The
> resulting getfacl is:
>
> # file: Testfolder2
> # owner: testgroup
> # group: domain\040admins
> user::rwx
> user:domain\040admins:rwx
> group::rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:testgroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:domain\040admins:rwx
> default:user:testgroup:rwx
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:group:testgroup:rwx
> default:mask::rwx
> default:other::---
>
> In the first case (with acl_xattr:ignore system acls = yes), I get
> access denied when trying to create anything whatsoever as a user
> belonging to the testgroup. In the second case, no problem at all to
> create files and folders for the user belonging to the testgroup.
>
> According to the documentation acl_xattr:ignore system acls = yes
> should increase compatibility with Windows. IMHO, it does the
> opposite. On my Windows server I have got no problems at all to define
> a set of permissions for the share, and then tweaking sub folders to
> what I need.
>
> Either I have completely misunderstood the concept, or there is
> something not working as it should.
>
> I would be very happy to get some explanations.
>
> Member server Debian Bookworm with Samba from backports (4.19.4)
>
> smb.conf below.
>
> Best regards,
>
> Peter
>
>
> [global]
>         security = ADS
>         server role = member server
>         realm = PRIVATE.TALPS
>         workgroup = PRIVATE
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         log level = 1
>         disable spoolss = Yes
>         printcap name = /dev/null
>         template homedir = /home/%U
>         template shell = /bin/bash
>         timestamp logs = Yes
>         username map = /etc/samba/user.map
>         min domain uid = 0
> #        winbind enum groups = Yes
> #        winbind enum users = Yes
>         winbind expand groups = 4
> #       winbind offline logon = Yes
>         winbind refresh tickets = Yes
>         winbind use default domain = Yes
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-9999
>         idmap config private : backend = rid
>         idmap config private : range = 10000-99999
>         map acl inherit = Yes
>         inherit acls = yes
>         apply group policies = yes
>         vfs objects = acl_xattr
>
> [Migrtest]
>         path = /data/migrtest
>         read only = no
>         acl_xattr:ignore system acls = yes
>
>
>
>

--
Sebastian Neustein

Airport Research Center GmbH
Bismarckstraße 61
52066 Aachen
Germany

Phone: +49 241 16843-23
Fax: +49 241 16843-19
e-mail:sebastian.neustein at arc-aachen.de
Website:http://www.airport-consultants.com

Register Court: Amtsgericht Aachen HRB 7313
Ust-Id-No.: DE196450052

Managing Director:
Dipl.-Ing. Tom Alexander Heuer


More information about the samba mailing list