[Samba] Windows permissions and inheritance

Ross Smith Ross.Smith at robinsons.com
Thu Feb 28 09:24:08 GMT 2008

Does anybody have experience of running Samba on a domain and getting
inherited file permissions on a Samba server to more closely match the
permissions you would see on a Windows 2000 box?  
I'm trying to reproduce our departmental folders on a Samba box, running
on ZFS with NFSv4 ACL's, but I'm struggling to get inherited permissions
working properly when new files are created.  I've read all the
documentation I can find, but everything seems to be written from a Unix
point of view in terms of granting windows users access to Unix files
with standard Unix permissions.  I haven't found much at all regarding
reproducing standard windows behaviour.
The aim is to reproduce the following directory structure and
  /Departments    - Domain Users: read access, Domain Admins: full
     /Accounts     - Domain Admins: full control, Accounts users:  read
& write access
     /Design         - Domain Admins: full control, Design users:  read
& write access
     /Shared         - Domain Admins: full control, Domain users:  read
& write access
To do this I created the /Departments folder, and granted just the
permissions shown.  In windows it looks fine, and under Solaris it looks
ok too, the permissions appear as:
d---r-x---+  3 ross smith domain users       3 Feb 28 08:24 Departments
     0:group:domain admins:list_directory/read_data/add_file/write_data

However, if I logon to a windows machine as a Domain Admin, and try to
create the Accounts folder I hit problems.  Windows creates a folder
titled "New Folder" ok, but I'm denied access when I try to rename it.
Looking at the permissions for that folder, there are a whole host of
entries that I wouldn't expect to be there:
drwxr-xr-x+  2 ross smith domain users       2 Feb 28 08:24 New Folder
     0:group:domain admins:list_directory/read_data/add_file/write_data
     2:group:domain admins:list_directory/read_data/add_file/write_data
Under Windows I would expect this folder to inherit identical
permissions to it's parent.  Domain admins should have full control, and
Domain users should have read only access.
The permissions I'm getting look to have several problems.  Firstly, the
Unix permissions are set to grant everyone read access, to grant the
owner full access, and the group read access.  Under my understanding,
none of those should be there at all since in smb.conf I have:
force create mode 0000
force directory mode 0000
Am I correct in assuming that I don't need to use these permissions and
that I can use the NFSv4 permissions instead?  If so, how do I prevent
the system adding these permissions when new files are created?
Secondly, the NFSv4 permissions are all over the place.  It's correctly
inherited the domain admins permissions, but it's also added a bunch of
spurious deny permissions, and adding a whole bunch of permissions that
look to be based on the Unix permissions mentioned above.  
It's the deny permissions that I believe are causing the problem
renaming the folder, but I don't particularly want any of the other
permissions there either.  Can anybody tell me if there's a way to avoid
Ross Smith 
Network Manager 
Robinson Construction
http://www.robinsons.com <http://www.robinsons.com/> 

The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Robinson Construction.  If you have received this transmission in error please advise the originator, or contact IT at robinsons.com.

This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. No responsibility is accepted for any virus or defect that might arise from opening this e-mail or attachment, whether or not it has been checked by anti-virus software. For further information visit www.clearswift.com.

Thank you for your co-operation.

Robinson Construction

S. Robinson & Sons (Engineers) Limited is a limited company registered in England.  Registration no:  823781
Registered office:  S. Robinson & Sons (Engineers) Limited, Wincanton Close, Ascot Drive, Derby, DE24 8NJ

More information about the samba mailing list