Re: [Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- Date: Fri, 21 Sep 2018 09:11:21 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
On Fri, 21 Sep 2018 09:35:13 +0200
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> Hai Rowland,
> So far i've seen, the output of getfacl is exact of what is set in
> secrutiy.NTACL. If that isnt the case then we have a problem in my
> opinion. And you could compair it with : getfattr -n security.NTACL
> And I would not ignore the getfacl even with the known limitation of
> the "SYSTEM" and some other BUILTIN\xxx.. Users/groups. As long we
> see these (missing) names/groups in numbers im fine with it. Linux is
> not windows.
> Imo, setting like this has only one problem, changing to much with
> CHMOD/CHOWN, that might kill the acls and you need to set it again
> FROM WINDOWS!
> This is why you set it, export the settings with getfacl ( if needed
> recusive ) handy to have that if you need to recover. You set the
> acls in linux first en from windows again and the both match again.
> Just dont touch it after you've set it.
> Om totaly open for a better setup ;-) and if im wrong here please
> tell me, only with comments, we learn.
Try reading 'man vfs_acl_xattr'
This plainly says that ACLs are stored in the EA 'security.NTACL'
It also says that when 'acl_xattr:ignore system acls' is set to
'yes', it will not map to or from the POSIX Layer i.e. the Unix OS.
It also says the following settings will be enforced:
create mask = 0666
directory mask = 0777
map archive = no
map hidden = no
map readonly = no
map system = no
store dos attributes = yes
To unsubscribe from this list go to the following URL and read the