[Samba] Permissions at the top of a Samba share

Rowland penny rpenny at samba.org
Mon Aug 26 14:35:16 UTC 2019

On 26/08/2019 15:20, 🦏 Peter Rindfuss via samba wrote:
> Hi,
> I have a question regarding permissions at the top of a share as seen
> from a Windows 10 client.
> We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with
> one AD controller and one file server.
> The top directory of our main share on the file server has, on the Linux
> level, these permissions reported by getfacl:
> # file: ...
> # owner: root
> # group: domain\040users
> # flags: ---
> user::rwx
> group::r-x
> other::---
> i.e. there are no rights for "other" and no default entries in the Posix
> ACL (i.e. there is no Posix ACL at all, just plain Linux permissions)
> getfattr -d -e hex -m - ...
> shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no
> "user.SAMBA_PAI="
> The Windows security editor, however, has two entries for "Everyone":
> Allow Everyone None    'This folder only'
> Allow Everyone Special 'Subfolders and files only', the special rights
> being read permission.
> I am wondering where the read permission for 'Subfolders and files only'
> comes from as there is no trace of this on the Linux side.
> Thanks, Peter
Have you tried: getfattr -n security.NTACL -d /the/top/directory

You have to explicitly ask for it.

Unfortunately, you will not understand the output, so try this as well:

samba-tool ntacl get /the top/directory --as-sddl


More information about the samba mailing list