[Samba] Posix vs. Windows File/Directory Permissions

Rowland Penny rowlandpenny at googlemail.com
Wed May 13 09:02:55 MDT 2015 

On 13/05/15 13:38, Mike wrote:
> I want to get a better understanding of what's happening between the posix
> permissions and windows permissions.

Nothing happens between posix permissions (acls) and windows permissions 
(ACLs), they are different, see:

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

On Unix, you can set read, write and execute/enter permissions for the 
owner, group or others, so for a share to be readable by some user who 
is neither the owner or a member of the group allowed access, you must 
set the Unix acls to 'rwxr-xr-x' or '755'. Now this is all well and good 
if you just what to give others read access, but what if you want the 
user to have write access as well ?

If a share has the owner: group set to fred:unixgroup, you could add 
george to the group 'unixgroup' and change the acls to rwxrwxr-x (775) 
but then every member of the group 'unixgroup' will have write permissions.

The answer to this? use windows ACLs, with these you could retain the 
Unix acls and add george as a user that has write access, you can do 
this from windows, or with setfacl:

  setfacl -m u:george:rwx testdir

and to see the ACLs:

getfacl testdir

There is much more out there, just try a search on 'getfacl'

Rowland
>
> I start with a Samba 4 AD DC with a share:  /mnt/data
>
> All subfolders and files have permissions and ownership that look like:
>
> drwxrwxrwx. 539 root root  52K May 12 17:50
>
> The Samba 4 Admin and User accounts are not local users on the linux
> server; they are only AD domain accounts.  The /mnt/data share is set read
> only = no.  I thought the AD DC ignores the posix ownership and permission
> settings, and they are controlled by ADUC settings via windows tools.  But
> when I chmod the directory to 0770:
>
> drwxrwx---  539  root  root  52K May 12  17:53
>
> I can no longer access the share /mnt/data using AD DC Admin or User
> accounts.
>
> Can I get an RTFM pointer that addresses what happening in this example?
> Thanks for your help.
>
> Mike

More information about the samba mailing list