Setting ACLs when creating files from Windows

simo idra at
Thu Aug 7 15:22:24 GMT 2008

On Thu, 2008-08-07 at 17:04 +0200, Corinna Vinschen wrote:
> On Aug  7 10:20, simo wrote:
> > On Thu, 2008-08-07 at 15:32 +0200, Corinna Vinschen wrote:
> > > Well, in theory I don't care if it's a network FS or a local FS.
> > > Cygwin's open() code simply tries to create files with a SD which
> > > contains the current user, its primary group and an Everyone ACE,
> > > regardless of the underlying FS.  This works fine on local and remote
> > > Windows filesystems, just not on Samba which needs the described
> > 
> > Yes but what happens on the remote windows filesystem ?
> > Do you just set an arbitrary SID there? This will work, but is probably
> > not what your users want.
> It's not an arbitrary SID, it's the SID of the current user on the
> client machine...

Yes, but if I connected to a second machine I probably want files owned
by the server machine user I authenticated as, not the user of the
client. (Thinking about it it may even get as far as forbidding access
to myself if permissions are strict, as the remote server does not
associate my local SID to the credentials used to access files).

> > > workaround, and on NFS, which uses an entirely different mechanism, the
> > > extended attributes approach.  It's not exactly Samba's fault, it's just
> > > annoying that so many different code paths are required to get the same
> > > result on different filesystems.  I had hoped for a simpler approach.
> > 
> > You should probably treat a remote windows filesystem and samba the same
> > way, unless your machines are in a domain and you are using domain users
> > I think you are setting unwanted SIDs on the remote windows machine.
> ... but I start to see what you mean.  When not in a domain, the default
> behaviour is to create the files on the remote machine as the remote
> user the local user has authenticated as, while in a domain, the user
> has authenticated as itself and files are created as that user.


>   The
> workaround I created for Samba maintains this behaviour.  OTOH, using a SD
> for the current user creates a new behaviour in that the file owner
> is the user of the client machine when running in a non-domain env.



Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Senior Software Engineer at Red Hat Inc. <ssorce at>

More information about the samba-technical mailing list