[Samba] folder permissions with Windows client, Samba server

Jim Salter jim at jrs-s.net
Wed Mar 10 12:12:17 MST 2010

Hi list -

I've been using Samba since 2.x in the early 2000's, and a papercut I 
had eight years ago still plagues me today - when anyone on a Windows 
client right-clicks a folder on a Samba share and tries to view or 
change its permissions, it doesn't work right.  The folder appears to 
have no permissions enabled for owner, group, or world (regardless of 
what the permissions actually are - and in fact, the Windows user can 
modify the folder or files in it without difficulty).  Worse, if the 
Windows user attempts to SET permissions on the folder, the folder will 
end up with a completely different (and generally completely unusable) 
set of permissions; chmod 700 and chown root, if I recall correctly - so 
then the hapless user who tried to set permissions on a folder that he 
or she could access just fine is locked out of that folder completely 
until someone shells into the Samba server and resets permissions from 
the command line.

I have seen this exact behavior on Samba 2.x / FreeBSD 4.x, 5.x, and 
6.x, both with and without ACLs enabled on the underlying filesystem, 
and just this week when I set up a Samba 3.4.0 server from the Ubuntu 
9.10 repositories, successfully joined it to a Windows 2003 domain with 
Kerberos working and Winbind mapping UIDs and GIDs properly... I STILL 
had the problem with the Windows GUI for setting folder permissions not 
mapping correctly!

Is this something I just have to live with, or is there something I 
don't understand about configuring Samba that would avoid this issue?

The smb.conf for the Ubuntu server I mentioned just now is unchanged 
from the default conf file shipping from the repository, with these 

####### Authentication #######

        security = ads
        realm = DOMAIN.LOCAL
        password server =
# note that workgroup is the 'short' domain name
        workgroup = DOMAIN
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

    comment = root of the Samba-accessible data storage
    read only = no
    writeable = yes
    path = /data/smbshare
    guest ok = no

More information about the samba mailing list