[Samba] Posix vs. Windows File/Directory Permissions

Reindl Harald h.reindl at thelounge.net
Fri May 15 08:30:22 MDT 2015


Am 15.05.2015 um 16:20 schrieb Mike:
> On Fri, May 15, 2015 at 4:37 AM, Klaus Hartnegg <hartnegg at uni-freiburg.de>
> wrote:
>
>> Not sure which email you mean. I don't think that this can happen. If the
>> Linux acls are modified, the Windows ACLs are destroyed and all is based on
>> the Linux permissions and acls (which looks strange when viewed from
>> Window). If the Windows ACLs are modified, Samba automatically adjusts the
>> Linux acls accordingly. They should always be in sync.
>>
>
> Klaus,
>
> I think my test demonstrated what you are saying.
> I changed a share's permissions from root:root rwxrwxrwx to root:root
> rwxrwx---
> And then the windows AD Administrator account was no longer able to access
> the share.
> If I made a linux user account on the server called "Administrator" and did:
>
> setfacl -R -m -u:Administrator:rwx /mnt/data
>
> then the Administrator would be configured using posix acl's for access to
> the share.
>
> I guess the moral of the story:
>
> if you don't want to setup AD domain users with linux user accounts on the
> server, and are serving shares only to windows clients - DON'T touch posix
> permissions or acl's.  Use Microsoft ADUC and Samba4 will interpret/provide
> the acl settings to the linux filesystem.
>
> Is that close to correct?

the real problem in that thread is that the ordinary chmod/chown 
permissions are called repeatly "acls" which is not wrong by the 
definiton of "access control list" but mixing that with "windows ACLs" 
and "posix ACLs" where on the FS layer we just have ACLs set with 
"setfacl" it leads to total confusion and nobody knows what people are 
talking about


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20150515/809d7421/attachment.pgp>


More information about the samba mailing list