Univention Bugzilla – Bug 47850
Missing parameter to set up a share using Windows ACLs
Last modified: 2018-11-28 12:10:47 CET
Currently only the share parameter inherit acls is set when checking "inherit acls = 1". However, according to Samba Wiki, this refers ONLY to POSIX ACLs.
In the Samba Wiki it says under https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, that for Windows ACLs the following share parameters are necessary.
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
'vfs objects' is set by default, 'store dos attributes' is already set in smb.conf. The parameter
map acl inherit = yes
If this parameter is add to the advanced settings → "samba custom settings" the inheritance also works in profile shares.
We should also set this parameter in the UMC by default.
set 'map acl inherit = yes' if univentionShareSambaNtAclSupport and univentionShareSambaInheritAcls are set
41a71556033ad3ecfacb67815c728d52b039e8cf - univention-samba4
d03c3b48ab19acb61c9629cbdff1d8f9231b4fc8 - yaml
Please consider the univention-samba package too since we havn't univention-samba4 installed.
2ec7403f52f13ed087c00616ce4757d0996464a5 - univention-samba
b3d4b3dfce708f9a9ba8b7c5c7419af35f64dd9b - univention-samba.yaml
In section https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File the Wiki article says:
"On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically enabled globally. You must not enable the support manually."
"must not" == "darf nicht".
So, I'm fine with setting this in univention-samba, but I'm unsure about univention-samba4. I cannot see any damage done by setting this parameter, I guess the wiki article wording is too strong at this point. On the other thand, the text is marked with an exclamation mark. Did you check that this is Ok on a Samba AD DC? Did you check if the user.SAMBA_PAI cannnot be found already in the file share backing the share without this change?
The wiki article also recommends putting "map acl inherit" into the global section to make it default for all shares. That would have the advantage that the customers affected by this don't need to touch every share on every file server.
user.SAMBA_PAI seems to be set only if "map acl inherit = yes" is configured, even on a DC
(In reply to Arvid Requate from comment #5)
> The wiki article also recommends putting "map acl inherit" into the global
> section to make it default for all shares. That would have the advantage
> that the customers affected by this don't need to touch every share on every
> file server.
not sure, we have a per share config "Inherit ACLs", so making this a global option is even more confusing
ps "map acl inherit = yes" works with sysvol but the samba restart confused my "Gruppenrichtlinieneditor"
new Bug #48222 for sysvol ... share config
If I correctly understand the smb.conf man page the "map acl inherit" can be set without "inherit acls", but it's ok.