[Samba] Behavior of acl_xattr:ignore system acls = yes on a share
Sebastian Neustein
sebastian.neustein at arc-aachen.de
Wed Jan 31 12:25:30 UTC 2024
Does you filesystem support extended attributes? What does "|getfattr -n
security.NTACL |filename" return?||
On 30.01.2024 16:13, Peter Milesson wrote:
> Hi folks,
>
> It seems that the setting acl_xattr:ignore system acls = yes reduces
> Windows compatibility when defined for a share. In all attempts I have
> used Windows tools (except editing smb.conf)
>
> Assume there is a share, where the files and folders in the share root
> should at least be readable by anybody having access to the share. For
> the sake of simplicity the following permissions apply on the share:
>
> Inheritance disabled
> Owner: root (Unix User\root)
> Domain Admins: full control (this folder, subfolder and files)
> Testgroup: read & execute (this folder, subfolder and files)
> System: full control (this folder, subfolder and files)
> creator owner: (this folder, subfolder and files)
>
> I want however, to set ownership and access permissions for different
> groups to different sub folders. So with acl_xattr:ignore system acls
> = yes I create the sub folder Testfolder, set testgroup as owner, and
> disabling inheritance. When checking the permissions on the folder
> with getfacl I get:
>
> # file: Testfolder
> # owner: testgroup
> # group: domain\040admins
> user::rwx
> user:root:rwx
> user:domain\040admins:rwx
> user:testgroup:r-x
> group::r-x
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:testgroup:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:domain\040admins:rwx
> default:user:testgroup:r-x
> default:group::r-x
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:group:testgroup:r-x
> default:mask::rwx
> default:other::---
>
> WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and
> again setting testgroup as owner, and disabling inheritance. The
> resulting getfacl is:
>
> # file: Testfolder2
> # owner: testgroup
> # group: domain\040admins
> user::rwx
> user:domain\040admins:rwx
> group::rwx
> group:NT\040Authority\\system:rwx
> group:domain\040admins:rwx
> group:testgroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:domain\040admins:rwx
> default:user:testgroup:rwx
> default:group::---
> default:group:NT\040Authority\\system:rwx
> default:group:domain\040admins:rwx
> default:group:testgroup:rwx
> default:mask::rwx
> default:other::---
>
> In the first case (with acl_xattr:ignore system acls = yes), I get
> access denied when trying to create anything whatsoever as a user
> belonging to the testgroup. In the second case, no problem at all to
> create files and folders for the user belonging to the testgroup.
>
> According to the documentation acl_xattr:ignore system acls = yes
> should increase compatibility with Windows. IMHO, it does the
> opposite. On my Windows server I have got no problems at all to define
> a set of permissions for the share, and then tweaking sub folders to
> what I need.
>
> Either I have completely misunderstood the concept, or there is
> something not working as it should.
>
> I would be very happy to get some explanations.
>
> Member server Debian Bookworm with Samba from backports (4.19.4)
>
> smb.conf below.
>
> Best regards,
>
> Peter
>
>
> [global]
> security = ADS
> server role = member server
> realm = PRIVATE.TALPS
> workgroup = PRIVATE
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> log level = 1
> disable spoolss = Yes
> printcap name = /dev/null
> template homedir = /home/%U
> template shell = /bin/bash
> timestamp logs = Yes
> username map = /etc/samba/user.map
> min domain uid = 0
> # winbind enum groups = Yes
> # winbind enum users = Yes
> winbind expand groups = 4
> # winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config private : backend = rid
> idmap config private : range = 10000-99999
> map acl inherit = Yes
> inherit acls = yes
> apply group policies = yes
> vfs objects = acl_xattr
>
> [Migrtest]
> path = /data/migrtest
> read only = no
> acl_xattr:ignore system acls = yes
>
>
>
>
--
Sebastian Neustein
Airport Research Center GmbH
Bismarckstraße 61
52066 Aachen
Germany
Phone: +49 241 16843-23
Fax: +49 241 16843-19
e-mail:sebastian.neustein at arc-aachen.de
Website:http://www.airport-consultants.com
Register Court: Amtsgericht Aachen HRB 7313
Ust-Id-No.: DE196450052
Managing Director:
Dipl.-Ing. Tom Alexander Heuer
More information about the samba
mailing list