[Samba] Settings ACL question

mathias dufresne infractory at gmail.com
Wed Aug 31 17:08:56 UTC 2016

Read wasn't the question. Question was about removing children but not the

parent-folder -> not removable
|_ Children1 ->
|_ Children2 -> both removable

I don't know how Samba deal with that, but that's not the point for now.
For now you have to understand NTFS permissions a little bit (I have not
the knowledge to write something like a lesson about NTFS permissions).

So all the following must be done on Windows, on loacl file system, a NTFS
file system, not through Samba for now.

- Create a folder anywhere, called "parent".
- Right click -> properties -> security tab -> advanced
- In advanced pop-up you get a button "change permissions", click on it
- Here you should get an error message because there no ACL on this object,
they are inherited from parent. To change them you have to suppress
inheritance and copy ACL on the object and children (for children you can
chose to make them inherit from parent)
- If there still is a button "change permissions", click on it
- now you are facing a pop-up titled "Advanced Security Settings for
<object name>
- chose one ACE, click on Edit button
- you get a new pop-up called "Permissions Entry for <object name>". This
pop-up contains a first box titled "Name:", a dropdown menu titled "Apply
to: " and a big box with Permissions, Allow, Deny.
- in the dropdown menu you can chose between different options:
"This folder only"
"This folder, subfolders and files"
"This folder and subfolders"
"This folder and files"
"Subfolders and files only"
"Subfolders only"
"Files only"

So you can apply different ACEs starting from same object which will apply
on the object, the object and its content, content only, as describe

"This folder only" -> chose something to not allow removal
"Subfolders and files only" -> chose full control

Now you can test, you should be able to remove the folder on which you set
up the refusal of removal.

Hoping it's more clear.

Now you can do that on NTFS, try the same through Samba.

2016-08-31 17:29 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Hard day, sorry. I'll try to read that this evening, but can't promise
> anything..
> 2016-08-31 14:12 GMT+02:00 Sam <sr42354 at gmail.com>:
>> Ok so If I well understand the concept, ACL should be apply-able *on*
>> the object himself only from the parent object?
>> For instance :
>> if I want read attribute on a directory I have to set it on the parent
>> directory.
>> And if I want read attribute inside a directory, I can set it on the
>> directory.
>> Hope this instance is clear to understand...
>> Thanks for confirm me that. ;)
>> Samuel
>> Le 30/08/2016 à 16:38, mathias dufresne a écrit :
>> ACL should be apply-able on the object, the object and its children or on
>> children only.
>> Apply full control ACL for children only and for the folder itself MS
>> should have something to allow content modification only...
>> 2016-08-30 16:16 GMT+02:00 Sam via samba <samba at lists.samba.org>:
>>> Hello all,
>>> I try to set full control permission to a "Boss" directory  for one
>>> group and in the same time I want to prevent this group to erase this top
>>> directory.
>>> Is it possible to do that with different permission in the Boss parent
>>> directory?
>>> Here is a small draw for explain :
>>> For the moment I can't prevent a user member of Boss group to delete
>>> Boss directory...
>>> Thanks for helping
>>> Sam
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list