I have a debian 11 server running samba and is hosting a share of a drive that's mounted in fstab. I have added "acl" to the fstab and installed acl in the samba config.
To be clear: my end goal is a samba share of a specific network drive that automatically mounts via group policy whenever a user logs in. On the linux side, there are servers running with information output to this drive under the samba user. On the windows side, users are able to access various folders with permissions based on groups. the "fileshare-admin" group has all permissions. Currently no other permissions were set because I ran into this problem while testing. removing file share-admin groups from permissions yields the same result. it's still accessible to everyone even with deny permissions anyone can still access any folder and file, which is what i'm looking to fix.
[FR-Fileshare]
path = /mnt/cephfs/FR-Fileshare
read only = no
map acl inherit = Yes
store dos attributes = Yes
force user = samba
force group = samba
inherit permissions = yes
acl_xattr:ignore system acl = yes
inherit owner = yes
inherit acls = yes
nt acl support = yes
Permissions are set up and appear correctly in both windows and linux (outputs below), however in the "sharing" tab it seems that full access is given to everyone. this appears as a "special permissions" grayed out checkmark when not viewing in advanced mode. it seems to be inherited, though inheritance is off... which is why i believe this issue might stem from the samba server side rather than windows.
Is there something I should look at like a setting or specific config? Let me know if you need more config files. This issue is a major security hole I can't seem to solve on my own. any pointers or advice at all would be amazing and immensely helpful.
Here the icacls get getfacl outputs for a folder named "test" and a file named "hi.txt" within it, both are afflicted with the "everyone has full access" issue.
PS Microsoft.PowerShell.Core\FileSystem::\\CEPH-GATEWAY\FR-Fileshare\test> icacls .
. FEATHERSFIRST\Fileserver-Admins:(OI)(CI)(F)
FEATHERSFIRST\lanealucy:(OI)(CI)(F)
S-1-22-1-1000:(F)
S-1-22-2-1000:(F)
ERSTELLER-BESITZER:(OI)(CI)(IO)(F)
ERSTELLERGRUPPE:(OI)(CI)(IO)(RX)
1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.
getfacl on the linux samba server of the same folder:
root@ceph-gateway:/mnt/cephfs/FR-Fileshare/test# getfacl .
# file: .
# owner: samba
# group: samba
user::rwx
user:samba:rwx
user:FEATHERSFIRST\\lanealucy:rwx
group::rwx
group:samba:rwx
group:FEATHERSFIRST\\fileserver-admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:samba:rwx
default:user:FEATHERSFIRST\\lanealucy:rwx
default:group::r-x
default:group:samba:r-x
default:group:FEATHERSFIRST\\fileserver-admins:rwx
default:mask::rwx
default:other::---
and the file:
PS Microsoft.PowerShell.Core\FileSystem::\\CEPH-GATEWAY\FR-Fileshare\test> icacls hi.txt
hi.txt FEATHERSFIRST\Fileserver-Admins:(I)(F)
FEATHERSFIRST\lanealucy:(I)(F)
S-1-22-2-1000:(I)(RX)
1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.
with matching getfacl:
root@ceph-gateway:/mnt/cephfs/FR-Fileshare/test# getfacl hi.txt
# file: hi.txt
# owner: samba
# group: samba
user::rwx
user:samba:rwx
user:FEATHERSFIRST\\lanealucy:rwx
group::r-x
group:samba:r-x
group:FEATHERSFIRST\\fileserver-admins:rwx
mask::rwx
other::---
update: i have used testparm and it says "acl compatibility = auto" is incorrect. but everywhere i look, its spelled right and in the right place. i'm just so confused. fstab has acl on the drive directives and the fs supports acl. i made sure acl was installed with apt install acl... getfacl is working so .... it should work. did samba recently change this setting to something else?
update: Here is an image of the everyone has full control screen
getfacl doesn't seem to see it and as you can see here, the issue is in the "share" screen, so i'm not quite sure what to do. all options are greyed out no matter where i edit it from
