Web lists-archives.com

Re: [Samba] ACL set in Windows not set in Samba




>> Side question: How is it even possible that Windows "remembers" the 
>> ACL it sets but it's not visible on Linux when using getfacl?

Windows ACLs are being stored in Extended Attributes using the acl_xattr vfs module. Linux ACLs are not there because the line

acl_xattr:ignore system acls = yes

is telling Samba not to write them.

On 13 May 2018 21:25, Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> On 13 May 2018 at 21:17, Viktor Trojanovic <viktor@xxxxxxxx> wrote: 
>
> > Hi Rowland, 
> > 
> > Thanks for replying again. 
> > 
> > On 13 May 2018 at 18:12, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> 
> > wrote: 
> > 
> >> On Sun, 13 May 2018 17:39:39 +0200 
> >> Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote: 
> >> 
> >> [...] 
> >> 
> >> >   username map = /etc/samba/samba_usermap 
> >> 
> >> What is in the 'samba_usermap' ? 
> >> 
> > 
> > !root = SAMDOM\Administrator SAMDOM\administrator 
> > 
> > 
> >> 
> >> > [myshare] 
> >> >   path = /srv/samba/myshare 
> >> >   comment = "My Data" 
> >> >   guest ok = no 
> >> >   writeable = yes 
> >> >   create mask = 0666 
> >> >   directory mask = 0777 
> >> >   acl_xattr:ignore system acls = yes 
> >> 
> >> As you are trying to use Windows ACLs, you should follow the info on 
> >> the page you linked and stop getting creative ;-) 
> >> 
> > 
> > Trust me, I have no intention of getting creative. This is how I set up 
> > the share a year or two ago and haven't changed it in the meantime. It used 
> > to work. Now all of a sudden something doesn't. 
> > 
> > 
> >> Remove the 'guest ok' line, it is the default. 
> >> Remove the two 'mask' lines, the last line is actually telling Samba 
> >> to ignore them. 
> >> 
> > 
> > Yes, I read that, but didn't hurry to remove them as they shouldn't hurt. 
> > Will do so now, though. 
> > 
> > 
> >> 
> >> > Slightly off topic: Is my assumption correct that gidNumbers and 
> >> > uidNumbers do not need to be distinct between each other, i.e. can a 
> >> > user have the same number as uidNumber that a group has as gidNumber? 
> >> 
> >> Yes, whilst every user must have a unique uidNumber and every group 
> >> must have a unique gidNumber, there is nothing stopping a user and a 
> >> group having the same number. 
> >> 
> >> 
> > That's what I thought, thanks. 
> > 
> > Not knowing what else to try, I'll just go ahead and restart everything 
> > and see if this has any impact. 
> > 
>
> Restarting everything didn't help. 
>
> Situation is as follows: I have the share "myshare" exactly as described in 
> smb.conf above. Within this share, from within Windows and as 
> SAMDOM\Administrator, I'm creating a new folder. This new folder by default 
> only has permissions for "Domain Admins". So, still using Windows, I'm 
> changing the ACL and include "Domain Users", for example. This group exists 
> and has a unique gidNumber. 
>
> $ getent group 
> [...] 
> domain users:x:10000: 
> domain admins:x:10001: 
> [...] 
>
> I save this setting and Windows shows me that the group "Domain Users" is 
> permitted on the folder. 
>
> Back to Linux, however, getfacl still shows only "Domain Admins". 
>
> $ getfacl /srv/samba/myshare/Test/ 
> # file: Test/ 
> # owner: root 
> # group: root 
> user::rwx 
> user:root:rwx 
> group::--- 
> group:domain\040admins:rwx 
> mask::rwx 
> other::--- 
> default:user::rwx 
> default:user:root:rwx 
> default:group::--- 
> default:group:domain\040admins:rwx 
> default:mask::rwx 
> default:other::--- 
>
> Side question: How is it even possible that Windows "remembers" the ACL it 
> sets but it's not visible on Linux when using getfacl? 
>
> Anyway, hope someone can give me a helpful hint as to what I'm doing wrong. 
>
> Viktor 
> -- 
> To unsubscribe from this list go to the following URL and read the 
> instructions:  https://lists.samba.org/mailman/options/samba 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba