[Samba] Cannot change directory permissions

Rowland Penny rowlandpenny241155 at gmail.com
Fri Aug 7 12:31:05 UTC 2015 

On 07/08/15 13:12, Felix Matouschek wrote:
> Hi Rowland,
>
> sorry, I hit the wrong reply button in the last answer.
>
> So there is no other way than to use Windows ACLs?
> I was told with our old systems (Samba 3 in non-domain mode) the behaviour I want to achieve was possible when only using ugo.

You can use Unix permissions, but 'Domain Admins' would have to be know 
to the underlying Unix OS i.e. 'getent group Domain\ Admins' would have 
to return something. The only way to do this would be to give Domain 
Admins a gidNumber. There is however a sting in the tail if you do this, 
you should expect mixing Unix Permissions and windows ACLs to give you 
problems, you should use either Unix permissions or windows ACLs, not a 
mixture of both.
The old samba 3 systems worked in a different way, there was usually a 
mapping of local Unix users and groups to samba users and groups, this 
meant that there was a user or group that could be set on a file or 
directory.

I would suggest, as there are windows machines involved, you only use 
windows ACLs, once the initial setup is done, everything can be done 
from windows.

Rowland

>
> Greetings,
> Felix
>
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> Gesendet: Freitag, 7. August 2015 13:48
> An: sambalist
> Betreff: Re: [Samba] Cannot change directory permissions
>
> On 07/08/15 12:25, Felix Matouschek wrote:
>> Hi Rowland,
>>
>>
>> Regarding my permissions problem:
>>
>> Newly created files, no permission changes yet:
>>
>> ls -la:
>>           drwxrwx---  3   fmatouschek vipco-users 4096 Aug  7 13:12 .
>>           drwxr-xr-x   55 root                   vipco-users 4096 Aug  4 10:12 ..
>>           drwxrwx---  2   fmatouschek vipco-users 4096 Aug  7 13:11 Directory
>>          -rw-rw----     1   fmatouschek vipco-users 0        Aug  7 13:12 File.txt
>>
>> getfacl:
>>           # file: .
>>           # owner: fmatouschek
>>           # group: vipco-users
>>           user::rwx
>>           group::rwx
>>           other::---
>>
>> Ticking "write protected" on properties (both file and directory):
>>
>> ls -la:
>>           drwxrwx---  3   fmatouschek vipco-users 4096 Aug  7 13:17 .
>>           drwxr-xr-x   55 root                   vipco-users 4096 Aug  4 10:12 ..
>>           drwxrwx---  2   fmatouschek vipco-users 4096 Aug  7 13:11 Directory
>>           -r--r-----        1   fmatouschek vipco-users 0        Aug  7 13:12 File.txt
>>
>> getfacl:
>>           # file: .
>>           # owner: fmatouschek
>>           # group: vipco-users
>>           user::rwx
>>           group::rwx
>>           other::---
>>
>> Using the security tab:
>>
>> ls -la:
>>           drwxrwx---     3   fmatouschek vipco-users 4096 Aug  7 13:20 .
>>           drwxr-xr-x      55 root                   vipco-users 4096 Aug  4 10:12 ..
>>           drwxrwx---+  2   fmatouschek vipco-users 4096 Aug  7 13:20 Directory
>>           -r--rwx---+      1   fmatouschek vipco-users 0        Aug  7 13:20 File.txt
>>
>> getfacl:
>>           # file: .
>>           # owner: fmatouschek
>>           # group: vipco-users
>>           user::rwx
>>           group::rwx
>>           other::---
>>
>>           # file: Directory/
>>           # owner: fmatouschek
>>           # group: vipco-users
>>           user::rwx
>>           user:fmatouschek:rwx
>>           group::rwx
>>           group:vipco-users:rwx
>>           mask::rwx
>>           other::---
>>           default:user::rwx
>>           default:user:fmatouschek:r--
>>           default:group::---
>>           default:group:vipco-users:r--
>>           default:mask::rwx
>>           default:other::---
>>
>>           # file: File.txt
>>           # owner: fmatouschek
>>           # group: vipco-users
>>           user::r--
>>           user:fmatouschek:r--
>>           group::r--
>>           group:vipco-users:r--
>>           mask::rwx
>>           other::---
>>
>> According to this output only ticking write-protected on properties of a file does exactly what I want.
>>
>> Any ideas?
>>
>> Greetings,
>> Felix
>>
>>
> Taking this back on list where it belongs.
>
> OK, you seem to understand Unix permissions, but anyway for those who don't:
>
> Unix permissions are based on user:group: other AKA ugo. these are expressed as the letters r w x , r means read, w means write, x means execute if a file and enter if it is a directory. these can be set with chmod and you can use the letters or numbers 1-7, to set to allow all permissions you could use chmod 777 /path/to/dir
>
> Now we have that out of the way, I can tell you that no member of Domain Admins will be able to set anything on the directory from windows because they don't have the permission to do so, either via Unix permissions or windows ACLs. You need to use 'setfacl' to add the required permissions for Domain Admins, see 'man setfacl' for how to do this.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list