[Samba] Behavior of acl_xattr:ignore system acls = yes on a share

Peter Milesson miles at atmos.eu
Wed Jan 31 13:17:37 UTC 2024


Hi Sebastian,

The problem in the first place is, that acl_xattr:ignore system acls = 
yes does not work as expected. If I create the share according to Ralph 
Böhme's recommendation, there is no security.NTACL created at all, and I 
can not change any security objects for the share. If I create and use 
the share without acl_xattr:ignore system acls = yes, then I get the 
security.NTACL. But then the share is only later usable WITHOUT the 
acl_xattr:ignore system acls = yes parameter set. If I use this 
parameter after setting up the share, then the permissions are set 
permanently for all sub folders and files. Even if I edit permissions 
for a sub folder, or a file, what's defined in the root share security 
settings apply, even if it does not look that way when examining file 
properties.

Of course, I could skip the whole acl_xattr:ignore system acls = yes 
stuff and get a fairly well working share, but now there definitely 
seems to be a problem using this parameter, and the problems should be 
resolved. Either there is a bug in Samba or, there is something fishy in 
my setup.

As you can se from my configuration information, I use Debian Bookworm 
with Samba from backports. All necessary prerequisites are included here.

Best regards,

Peter

On 31.01.2024 13:25, Sebastian Neustein via samba wrote:
> Does you filesystem support extended attributes? What does "|getfattr -n
> security.NTACL |filename" return?||
>
> On 30.01.2024 16:13, Peter Milesson wrote:
>> Hi folks,
>>
>> It seems that the setting acl_xattr:ignore system acls = yes reduces
>> Windows compatibility when defined for a share. In all attempts I have
>> used Windows tools (except editing smb.conf)
>>
>> Assume there is a share, where the files and folders in the share root
>> should at least be readable by anybody having access to the share. For
>> the sake of simplicity the following permissions apply on the share:
>>
>> Inheritance disabled
>> Owner: root (Unix User\root)
>> Domain Admins: full control (this folder, subfolder and files)
>> Testgroup: read & execute (this folder, subfolder and files)
>> System: full control (this folder, subfolder and files)
>> creator owner: (this folder, subfolder and files)
>>
>> I want however, to set ownership and access permissions for different
>> groups to different sub folders. So with acl_xattr:ignore system acls
>> = yes I create the sub folder Testfolder, set testgroup as owner, and
>> disabling inheritance. When checking the permissions on the folder
>> with getfacl I get:
>>
>> # file: Testfolder
>> # owner: testgroup
>> # group: domain\040admins
>> user::rwx
>> user:root:rwx
>> user:domain\040admins:rwx
>> user:testgroup:r-x
>> group::r-x
>> group:NT\040Authority\\system:rwx
>> group:domain\040admins:rwx
>> group:testgroup:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:domain\040admins:rwx
>> default:user:testgroup:r-x
>> default:group::r-x
>> default:group:NT\040Authority\\system:rwx
>> default:group:domain\040admins:rwx
>> default:group:testgroup:r-x
>> default:mask::rwx
>> default:other::---
>>
>> WITHOUT acl_xattr:ignore system acls = yes I create Testfolder2, and
>> again setting testgroup as owner, and disabling inheritance. The
>> resulting getfacl is:
>>
>> # file: Testfolder2
>> # owner: testgroup
>> # group: domain\040admins
>> user::rwx
>> user:domain\040admins:rwx
>> group::rwx
>> group:NT\040Authority\\system:rwx
>> group:domain\040admins:rwx
>> group:testgroup:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:domain\040admins:rwx
>> default:user:testgroup:rwx
>> default:group::---
>> default:group:NT\040Authority\\system:rwx
>> default:group:domain\040admins:rwx
>> default:group:testgroup:rwx
>> default:mask::rwx
>> default:other::---
>>
>> In the first case (with acl_xattr:ignore system acls = yes), I get
>> access denied when trying to create anything whatsoever as a user
>> belonging to the testgroup. In the second case, no problem at all to
>> create files and folders for the user belonging to the testgroup.
>>
>> According to the documentation acl_xattr:ignore system acls = yes
>> should increase compatibility with Windows. IMHO, it does the
>> opposite. On my Windows server I have got no problems at all to define
>> a set of permissions for the share, and then tweaking sub folders to
>> what I need.
>>
>> Either I have completely misunderstood the concept, or there is
>> something not working as it should.
>>
>> I would be very happy to get some explanations.
>>
>> Member server Debian Bookworm with Samba from backports (4.19.4)
>>
>> smb.conf below.
>>
>> Best regards,
>>
>> Peter
>>
>>
>> [global]
>>         security = ADS
>>         server role = member server
>>         realm = PRIVATE.TALPS
>>         workgroup = PRIVATE
>>         dedicated keytab file = /etc/krb5.keytab
>>         kerberos method = secrets and keytab
>>         log level = 1
>>         disable spoolss = Yes
>>         printcap name = /dev/null
>>         template homedir = /home/%U
>>         template shell = /bin/bash
>>         timestamp logs = Yes
>>         username map = /etc/samba/user.map
>>         min domain uid = 0
>> #        winbind enum groups = Yes
>> #        winbind enum users = Yes
>>         winbind expand groups = 4
>> #       winbind offline logon = Yes
>>         winbind refresh tickets = Yes
>>         winbind use default domain = Yes
>>         idmap config * : backend = tdb
>>         idmap config * : range = 3000-9999
>>         idmap config private : backend = rid
>>         idmap config private : range = 10000-99999
>>         map acl inherit = Yes
>>         inherit acls = yes
>>         apply group policies = yes
>>         vfs objects = acl_xattr
>>
>> [Migrtest]
>>         path = /data/migrtest
>>         read only = no
>>         acl_xattr:ignore system acls = yes
>>
>>
>>
>>
>
> -- 
> Sebastian Neustein
>
> Airport Research Center GmbH
> Bismarckstraße 61
> 52066 Aachen
> Germany
>
> Phone: +49 241 16843-23
> Fax: +49 241 16843-19
> e-mail:sebastian.neustein at arc-aachen.de
> Website:http://www.airport-consultants.com
>
> Register Court: Amtsgericht Aachen HRB 7313
> Ust-Id-No.: DE196450052
>
> Managing Director:
> Dipl.-Ing. Tom Alexander Heuer




More information about the samba mailing list