Web lists-archives.com

Re: [Samba] Fwd: Extended acls with AD - problem with default/herited permissions




Hello Dale,

I set map acl inherit = yes in global parameters of smb.conf
and set inherit owner = yes locally to my share "groups" of smb.conf

I have followed the wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
It is indicated :
"To configure shares using extended access control lists (ACL), you must enable the support in the |smb.conf| file. To enable extended ACL support globally, add the following settings to the |[global]| section of your |smb.conf| file:

vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes"

Do you mean I should try to add :
inherit acls = yes locally to my share "groups" ?

Should I remove map acl inherit = yes from global parameters of smb.conf ?


Edouard

Le 10/12/2018 à 14:58, Dale a écrit :
Edouard,

These are the 4 available parameters containing the word "inherit".

       inherit acls (S)
       inherit owner (S)
       inherit permissions (S)
       map acl inherit (S)


Would "inherit acls" work for you?

Dale


On 12/10/18 10:56 AM, Edouard Guigné via samba wrote:
Hello,

I add to my previous mail, the only way i found to disable acl "Domain Users" to be added is with :

*/inherit owner = yes/*

This has the advantage to recopy exactly the default acl defined on the parent folder. But this has the disavantage to not show which user has created a folder/file and the ownership.

Does something like "inherit group owner = yes" exist ?
chmod g+s has no effect on my configuration.

Best Regards,

EdG



-------- Message transféré --------
Sujet :     Extended acls with AD - problem with default/herited permissions
Date :     Mon, 10 Dec 2018 10:47:20 -0300
De :     Edouard Guigné <eguigne@xxxxxxxxxxxxxxxxxx>
Pour :     samba@xxxxxxxxxxxxxxx



Hello,

I set a share on a samba 4.7.1 as domain member with an Active Directory controler, this share is used by all domain users.

All users from the AD domain have a primary group "Domain Users", and secondary groups to filter access on the folders of the share. I noticed that when a user create a sub-folder/file inside a "Top folder", the default permissions from the "Top folder" are well herited, but the acl "Domain Users" is always added.

I find a link https://bugzilla.samba.org/show_bug.cgi?id=8938 about this. So I made a test with "acl_xattr:ignore system acls = yes" in my smb.conf ; but it seems to disable extended acl to some folders...
This is not a solution.

I tried also chmod g+s on "Top folders", but other acl "Domain Users" is still added.

I think something is bad in my smb.cfg, below is the result of testparm :

# Global parameters
[global]
        client max protocol = SMB3
        client min protocol = SMB2
        client signing = required
        disable spoolss = Yes
        domain master = No
        kerberos method = secrets and keytab
        load printers = No
        local master = No
        log file = /var/log/samba/%m.log
        name resolve order = wins bcast host lmhosts
        preferred master = No
        printcap name = /dev/null
        realm = IPGAD.PASTEUR-CAYENNE.FR
        security = ADS
        server signing = required
        winbind nss info = rfc2307
        workgroup = IPGAD
        idmap config ipgad : unix_primary_group = yes
        idmap config ipgad : unix_nss_info = yes
        idmap config ipgad : range = 1-14999
        idmap config ipgad : schema_mode = rfc2307
        idmap config ipgad : backend = ad
        idmap config * : range = 15000-99999
        idmap config * : backend = tdb
        cups options = raw
        hosts allow = 127. 10.9.8.
        hosts deny = 10.9.9.
        map acl inherit = Yes
        store dos attributes = Yes
        use sendfile = Yes
        vfs objects = acl_xattr


[groups]
        comment = jaguar2
        path = /var/datashared
        read only = No
        valid users = "@utilisateurs du domaine@xxxxxxxxxxxxxxxxxxxxxxxx"
        vfs objects = acl_xattr streams_xattr shadow_copy2
        shadow:format = daily_%Y.%m.%d-%H.%M.%S
        shadow:localtime = yes
        shadow:sort = desc
        shadow:basedir = /var/datashared
        shadow:snapdir = /data/datashared/snapshots


[homes]
        browseable = No
        comment = Home Directories
        create mask = 0700
        directory mask = 0700
        hide files = /~*.tmp/profile/desktop.ini/~$*/
        path = /home
        read only = No
        valid users = "@utilisateurs du domaine@xxxxxxxxxxxxxxxxxxxxxxxx"

May you help me to understand/solve the situation ?

EdG



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba