Bug 47850 - Missing parameter to set up a share using Windows ACLs
Missing parameter to set up a share using Windows ACLs
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-21 16:45 CEST by Christina Scheinig
Modified: 2018-11-28 12:10 CET (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.206
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018092121000827
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2018-09-21 16:45:38 CEST
Currently only the share parameter inherit acls is set when checking "inherit acls = 1". However, according to Samba Wiki, this refers ONLY to POSIX ACLs.

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

In the Samba Wiki it says under https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs, that for Windows ACLs the following share parameters are necessary.

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes


'vfs objects' is set by default, 'store dos attributes' is already set in smb.conf. The parameter
 
map acl inherit = yes
is missing.
If this parameter is add to the advanced settings → "samba custom settings" the inheritance also works in profile shares.

We should also set this parameter in the UMC by default.
Comment 1 Felix Botner univentionstaff 2018-11-26 12:50:45 CET
set 'map acl inherit = yes' if univentionShareSambaNtAclSupport and univentionShareSambaInheritAcls are set

41a71556033ad3ecfacb67815c728d52b039e8cf - univention-samba4
d03c3b48ab19acb61c9629cbdff1d8f9231b4fc8 - yaml
Comment 2 Stephan Hendl 2018-11-26 13:10:39 CET
Please consider the univention-samba package too since we havn't univention-samba4 installed.
Comment 3 Felix Botner univentionstaff 2018-11-26 13:53:34 CET
2ec7403f52f13ed087c00616ce4757d0996464a5 - univention-samba
b3d4b3dfce708f9a9ba8b7c5c7419af35f64dd9b - univention-samba.yaml
Comment 4 Arvid Requate univentionstaff 2018-11-27 09:04:20 CET
In section https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File the Wiki article says:

"On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically enabled globally. You must not enable the support manually."

"must not" == "darf nicht".

So, I'm fine with setting this in univention-samba, but I'm unsure about univention-samba4. I cannot see any damage done by setting this parameter, I guess the wiki article wording is too strong at this point. On the other thand, the text is marked with an exclamation mark. Did you check that this is Ok on a Samba AD DC? Did you check if the user.SAMBA_PAI cannnot be found already in the file share backing the share without this change?
Comment 5 Arvid Requate univentionstaff 2018-11-27 09:45:50 CET
The wiki article also recommends putting "map acl inherit" into the global section to make it default for all shares. That would have the advantage that the customers affected by this don't need to touch every share on every file server.
Comment 6 Felix Botner univentionstaff 2018-11-27 10:52:23 CET
user.SAMBA_PAI seems to be set only if "map acl inherit = yes" is configured, even on a DC

(In reply to Arvid Requate from comment #5)
> The wiki article also recommends putting "map acl inherit" into the global
> section to make it default for all shares. That would have the advantage
> that the customers affected by this don't need to touch every share on every
> file server.

not sure, we have a per share config "Inherit ACLs", so making this a global option is even more confusing

ps "map acl inherit = yes" works with sysvol but the samba restart confused my "Gruppenrichtlinieneditor"

new Bug #48222 for sysvol ... share config
Comment 7 Arvid Requate univentionstaff 2018-11-27 12:09:28 CET
If I correctly understand the smb.conf man page the "map acl inherit" can be set without "inherit acls", but it's ok.