[Samba] Cannot change directory permissions

Rowland Penny rowlandpenny241155 at gmail.com
Fri Aug 7 11:47:56 UTC 2015 

On 07/08/15 12:25, Felix Matouschek wrote:
> Hi Rowland,
>
>
> Regarding my permissions problem:
>
> Newly created files, no permission changes yet:
>
> ls -la:
>          drwxrwx---  3   fmatouschek vipco-users 4096 Aug  7 13:12 .
>          drwxr-xr-x   55 root                   vipco-users 4096 Aug  4 10:12 ..
>          drwxrwx---  2   fmatouschek vipco-users 4096 Aug  7 13:11 Directory
>         -rw-rw----     1   fmatouschek vipco-users 0        Aug  7 13:12 File.txt
>
> getfacl:
>          # file: .
>          # owner: fmatouschek
>          # group: vipco-users
>          user::rwx
>          group::rwx
>          other::---
>
> Ticking "write protected" on properties (both file and directory):
>
> ls -la:
>          drwxrwx---  3   fmatouschek vipco-users 4096 Aug  7 13:17 .
>          drwxr-xr-x   55 root                   vipco-users 4096 Aug  4 10:12 ..
>          drwxrwx---  2   fmatouschek vipco-users 4096 Aug  7 13:11 Directory
>          -r--r-----        1   fmatouschek vipco-users 0        Aug  7 13:12 File.txt
>
> getfacl:
>          # file: .
>          # owner: fmatouschek
>          # group: vipco-users
>          user::rwx
>          group::rwx
>          other::---
>
> Using the security tab:
>
> ls -la:
>          drwxrwx---     3   fmatouschek vipco-users 4096 Aug  7 13:20 .
>          drwxr-xr-x      55 root                   vipco-users 4096 Aug  4 10:12 ..
>          drwxrwx---+  2   fmatouschek vipco-users 4096 Aug  7 13:20 Directory
>          -r--rwx---+      1   fmatouschek vipco-users 0        Aug  7 13:20 File.txt
>
> getfacl:
>          # file: .
>          # owner: fmatouschek
>          # group: vipco-users
>          user::rwx
>          group::rwx
>          other::---
>
>          # file: Directory/
>          # owner: fmatouschek
>          # group: vipco-users
>          user::rwx
>          user:fmatouschek:rwx
>          group::rwx
>          group:vipco-users:rwx
>          mask::rwx
>          other::---
>          default:user::rwx
>          default:user:fmatouschek:r--
>          default:group::---
>          default:group:vipco-users:r--
>          default:mask::rwx
>          default:other::---
>
>          # file: File.txt
>          # owner: fmatouschek
>          # group: vipco-users
>          user::r--
>          user:fmatouschek:r--
>          group::r--
>          group:vipco-users:r--
>          mask::rwx
>          other::---
>
> According to this output only ticking write-protected on properties of a file does exactly what I want.
>
> Any ideas?
>
> Greetings,
> Felix
>
>

Taking this back on list where it belongs.

OK, you seem to understand Unix permissions, but anyway for those who don't:

Unix permissions are based on user:group: other AKA ugo. these are 
expressed as the letters r w x , r means read, w means write, x means 
execute if a file and enter if it is a directory. these can be set with 
chmod and you can use the letters or numbers 1-7, to set to allow all 
permissions you could use chmod 777 /path/to/dir

Now we have that out of the way, I can tell you that no member of Domain 
Admins will be able to set anything on the directory from windows 
because they don't have the permission to do so, either via Unix 
permissions or windows ACLs. You need to use 'setfacl' to add the 
required permissions for Domain Admins, see 'man setfacl' for how to do 
this.

Rowland

More information about the samba mailing list