Re: [Samba] ACL set in Windows not set in Samba
- Date: Sun, 13 May 2018 21:52:10 +0100
- From: Miguel Medalha via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] ACL set in Windows not set in Samba
>> Side question: How is it even possible that Windows "remembers" the
>> ACL it sets but it's not visible on Linux when using getfacl?
Windows ACLs are being stored in Extended Attributes using the acl_xattr vfs module. Linux ACLs are not there because the line
acl_xattr:ignore system acls = yes
is telling Samba not to write them.
On 13 May 2018 21:25, Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:
> On 13 May 2018 at 21:17, Viktor Trojanovic <viktor@xxxxxxxx> wrote:
> > Hi Rowland,
> > Thanks for replying again.
> > On 13 May 2018 at 18:12, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
> > wrote:
> >> On Sun, 13 May 2018 17:39:39 +0200
> >> Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >> [...]
> >> > username map = /etc/samba/samba_usermap
> >> What is in the 'samba_usermap' ?
> > !root = SAMDOM\Administrator SAMDOM\administrator
> >> > [myshare]
> >> > path = /srv/samba/myshare
> >> > comment = "My Data"
> >> > guest ok = no
> >> > writeable = yes
> >> > create mask = 0666
> >> > directory mask = 0777
> >> > acl_xattr:ignore system acls = yes
> >> As you are trying to use Windows ACLs, you should follow the info on
> >> the page you linked and stop getting creative ;-)
> > Trust me, I have no intention of getting creative. This is how I set up
> > the share a year or two ago and haven't changed it in the meantime. It used
> > to work. Now all of a sudden something doesn't.
> >> Remove the 'guest ok' line, it is the default.
> >> Remove the two 'mask' lines, the last line is actually telling Samba
> >> to ignore them.
> > Yes, I read that, but didn't hurry to remove them as they shouldn't hurt.
> > Will do so now, though.
> >> > Slightly off topic: Is my assumption correct that gidNumbers and
> >> > uidNumbers do not need to be distinct between each other, i.e. can a
> >> > user have the same number as uidNumber that a group has as gidNumber?
> >> Yes, whilst every user must have a unique uidNumber and every group
> >> must have a unique gidNumber, there is nothing stopping a user and a
> >> group having the same number.
> > That's what I thought, thanks.
> > Not knowing what else to try, I'll just go ahead and restart everything
> > and see if this has any impact.
> Restarting everything didn't help.
> Situation is as follows: I have the share "myshare" exactly as described in
> smb.conf above. Within this share, from within Windows and as
> SAMDOM\Administrator, I'm creating a new folder. This new folder by default
> only has permissions for "Domain Admins". So, still using Windows, I'm
> changing the ACL and include "Domain Users", for example. This group exists
> and has a unique gidNumber.
> $ getent group
> domain users:x:10000:
> domain admins:x:10001:
> I save this setting and Windows shows me that the group "Domain Users" is
> permitted on the folder.
> Back to Linux, however, getfacl still shows only "Domain Admins".
> $ getfacl /srv/samba/myshare/Test/
> # file: Test/
> # owner: root
> # group: root
> Side question: How is it even possible that Windows "remembers" the ACL it
> sets but it's not visible on Linux when using getfacl?
> Anyway, hope someone can give me a helpful hint as to what I'm doing wrong.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the