[Samba] file sharing issue in samba4

Andrew Bartlett abartlet at samba.org
Sun Oct 14 16:25:00 MDT 2012

On Sun, 2012-10-14 at 23:01 +0200, Germ van Ek wrote:
> Hello Ankur,
> I have understood that in Samba4 the file-daemon runs as root, and
> access control is handled by Samba, not by the permissions on the
> filesystem.

This is incorrect.  The default file server (smbd) changes to each
connected user and uses (essentially, only) the file system permissions.
Even the non-default file server (ntvfs) still changes to the connected

>  Therefor, it is also not needed to have a local Unix user for every
> Samba user. 

This is also incorrect, however when we are an AD DC, we will allocate
uid/gid number in idmap.ldb and store the user accounts in sam.ldb.  You
will need to use nss_winbind to have these show up in nsswitch (eg
getent passwd etc). 

> Downside is that you will have to change the tools you use for setting
> permissions.
> I currently don't have access to a Samba 4 server, but after searching
> a bit it seams the samba-tool ntacl command is for this purpose.

This tool will allow you to set a specific NT ACL for cases where
setting that is required.  This isn't often for normal file server
tasks, even on the DC.   

Setting the posix permissions on normal file shares should work fine.  

You may be thinking of the override behaviour we had in the 'ntvfs' file
server, allowing an NT ACL stored in an xattr to override the posix file
permissions.  This only applies if both 1) and NT ACL is set and 2) you
are using the non-default file server.

I hope this clarifies things.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list