[Samba] How to set up a simple file server with full ACL support?

Rowland Penny rpenny at samba.org
Fri May 24 12:34:57 UTC 2024 

On Fri, 24 May 2024 11:26:41 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Fri, 24 May 2024 20:58:02 +1200
> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> 
> > On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote:
> > > On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via
> > > samba wrote:
> > > > After 23 years answering questions here, I figure it might be
> > > > time for
> > > > me to ask one.
> > > > 
> > > > As mentioned here:
> > > > https://lists.samba.org/archive/samba-technical/2024-May/138969.html
> > > >  I
> > > > am working with a client to improve a Go SMB client library.
> > > > 
> > > > They want to manipulate ACLs on SMB, which is a very reasonable
> > > > thing
> > > > to want to do.
> > > > 
> > > > What we had a lot of trouble with is simply setting Samba up as
> > > > a standalone fileserver able to accept arbitrary NT ACL changes.
> > > > ..
> > > > However, despite connecting as root (within a docker container),
> > > > we just get ACL errors that seem to be from Samba checking and
> > > > failing against some existing (mapped) presumably ACL.
> > > > 
> > > > I don't have the exact error strings to hand (was on the
> > > > client's dev
> > > > box) but I've been asked to provide a working set of steps to
> > > > get arbitrary windows ACLs working on modern standalone Samba
> > > > server.
> > > 
> > > My guess would be docker container issues.
> > > 
> > > Try setting up a bog-standard stand-alone fileserver (not on
> > > docker)
> > > - no containerization, just using local users and NTLM auth.
> > > 
> > > Get ACL then set with smbcacls.
> > 
> > Thanks so much.  It works with a real VM, and fails on the Docker
> > image.
> > 
> > The difference in the returned ACL, being the default created by a
> > root user uploaded with smbclient is:
> > 
> > (VM) O:S-1-5-21-453318200-1757343522-2642056891-1000G:S-1-5-21-
> > 453318200-1757343522-2642056891-513D:(A;;FA;;;S-1-5-21-453318200-
> > 1757343522-2642056891-1000)(A;;0x1200a9;;;S-1-5-21-453318200-
> > 1757343522-2642056891-513)(A;;0x1200a9;;;WD)
> 
> Hi Andrew, just a question, you said that you were setting up a
> standalone server, so how have you got the RID for Domain Users ?
> 
> Rowland
>

This got me wondering, so I created a share on a Debian 12 standalone
server. I connected to this share from a domain joined computer, but as
a Samba user local to the standalone server i.e. not a domain user. I
got similar results to Andrew, the group 'Domain Users' was used even
though the SID was the local SID and the local Samba user isn't a
member of 'Domain Users' (it is a member of 'users'). This cannot be
right.

Rowland

More information about the samba mailing list