Quantcast

Samba4 and "inherit permissions ="

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba4 and "inherit permissions ="

Samba - General mailing list
After a decent amount of online searches, I am a little bit lost on the
subject of Samba4 in AD mode and ACL's. Could anybody help with the
following please:

1. Is it correct that my default ACL's are being ignored (new files
created don't follow the default ACL's permissions of the parent folder)
because "inherit permissions = " is set to No by default in smb.conf?

2. Is "inherit permissions = " still a valid option in smb.conf for
Samba4 in AD mode, or has it been deprecated?

3. Does "inherit permissions = " have the same effect as clicking
"Enable inheritance" button on the Windows side in the share settings?



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 and "inherit permissions ="

Samba - General mailing list
On Fri, 5 May 2017 11:21:14 +0100
Sebastian Arcus via samba <[hidden email]> wrote:

> After a decent amount of online searches, I am a little bit lost on
> the subject of Samba4 in AD mode and ACL's. Could anybody help with
> the following please:
>
> 1. Is it correct that my default ACL's are being ignored (new files
> created don't follow the default ACL's permissions of the parent
> folder) because "inherit permissions = " is set to No by default in
> smb.conf?
>
> 2. Is "inherit permissions = " still a valid option in smb.conf for
> Samba4 in AD mode, or has it been deprecated?
>
> 3. Does "inherit permissions = " have the same effect as clicking
> "Enable inheritance" button on the Windows side in the share settings?
>
>
>

If you are using an AD DC as a fileserver, you do not add anything to
the share other than the path and read only mode, you need to set the
ACLs from windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 and "inherit permissions ="

Samba - General mailing list

On 05/05/17 12:01, Rowland Penny via samba wrote:

> On Fri, 5 May 2017 11:21:14 +0100
> Sebastian Arcus via samba <[hidden email]> wrote:
>
>> After a decent amount of online searches, I am a little bit lost on
>> the subject of Samba4 in AD mode and ACL's. Could anybody help with
>> the following please:
>>
>> 1. Is it correct that my default ACL's are being ignored (new files
>> created don't follow the default ACL's permissions of the parent
>> folder) because "inherit permissions = " is set to No by default in
>> smb.conf?
>>
>> 2. Is "inherit permissions = " still a valid option in smb.conf for
>> Samba4 in AD mode, or has it been deprecated?
>>
>> 3. Does "inherit permissions = " have the same effect as clicking
>> "Enable inheritance" button on the Windows side in the share settings?
>>
>>
>>
>
> If you are using an AD DC as a fileserver, you do not add anything to
> the share other than the path and read only mode, you need to set the
> ACLs from windows, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>

Thank you for that. Where I got confused is that many howtos seem to
suggest that ACL's can be managed either from the Windows side, or with
setfacl on the Linux side.

I noticed that if I have the following ACL's

# file: VAT
# owner: root
# group: MYDOM\134domain\040users
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::---

The inheritance doesn't work correctly, in spite of the default ACL's.
It seems that it only works correctly if there is an explicit default
ACL for "Domain Users" - in spite of the fact that the "Domain Users" is
the owning group, and there is a default ACL for the owning group. Is
this by design?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...