[Samba] Windows doesn't prevent directory deletion

Tue Mar 13 16:19:13 UTC 2018

Hi Samba team,

I'm currently building a Samba Domaincontroller with a seperate domain joined Samba Fileserver in my environment.

On my fileserver share which root directory is /srv/Share I don't use Windows ACLs, so just the default Linux permissions and Posix ACLs

Let's assume that I've a group employees which should have rwx permissions to a group specific share. So I've created the following structure:

/srv/Share (root:root, 755, rwx;r-x;r-x).

/srv/Share/Employees (root:"Employees", 770, rwx;rwx;---)

So the group employees isn't able to delete the directory "Employees", because they don't have write permission to the parent directory "Share", but they're able to create files in their Employees directory. That works just fine directly on the linux filesystem. And I would expect this behavior from a Windows Client too.

In Windows however an Employees member is able to delete the directory "Employees" from the Share mounted in the explorer.

So when the user clicks on delete, Windows asks if I'm sure to delete the files irrevocably. After that Windows deletes all files in that directory and then hides the Employees directory from the mounted Share. Only after I reload/reopen the explorer the Employee directory is visible again, but the directory is empty.

So it seems that Windows thinks that it's allowed to delete this directory also it isn't, because in Linux the parent directory "Share" denies it.

When you've a look on the translated ACLs within the security tab, you see that Samba has translated the permission 770 on the Employees Directory as a the permission for "this directory (Dieser Ordner)". This explains why Windows thinks that it's allowed to delete this directory. Normally Samba should map the permission of the parent directory "Shares" to the Employees "this directory" permission to map the Linux permissions correctly. Then it should add another permission for all subdirectorys and files that are created within the Employees directory whichs maps the permissions of the Linux Employees directory.

Here's a picture how it looks in windows (It's a german windows, but I think it's understandable)

https://imgur.com/a/Ga9dw

Hopefully you understand the problem, if not, just feel free to ask for further information :)

I don't want to switch to Windows ACLs, because I like the feature of just setting the permissions using the ACL library.

Workaround:
I've found an ugly workaround for this issue, but I would appreciate it if there will be a better solution :). We're creating the root directorys like "Employees" programatically, so I just added in every directory a ".protected" named directory with the permissions root:root 700.

Then Windows recognizes that it isn't allowed to delete the root directory "Employees", because there's a file samba denies access to.

Kind regards
Sören