[Samba] Permissions at the top of a Samba share
Rowland penny
rpenny at samba.org
Mon Aug 26 14:35:16 UTC 2019
On 26/08/2019 15:20, 🦏 Peter Rindfuss via samba wrote:
> Hi,
>
> I have a question regarding permissions at the top of a share as seen
> from a Windows 10 client.
>
> We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with
> one AD controller and one file server.
>
> The top directory of our main share on the file server has, on the Linux
> level, these permissions reported by getfacl:
> # file: ...
> # owner: root
> # group: domain\040users
> # flags: ---
> user::rwx
> group::r-x
> other::---
>
> i.e. there are no rights for "other" and no default entries in the Posix
> ACL (i.e. there is no Posix ACL at all, just plain Linux permissions)
>
> getfattr -d -e hex -m - ...
> shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no
> "user.SAMBA_PAI="
>
> The Windows security editor, however, has two entries for "Everyone":
> Allow Everyone None 'This folder only'
> Allow Everyone Special 'Subfolders and files only', the special rights
> being read permission.
>
> I am wondering where the read permission for 'Subfolders and files only'
> comes from as there is no trace of this on the Linux side.
>
> Thanks, Peter
>
Have you tried: getfattr -n security.NTACL -d /the/top/directory
You have to explicitly ask for it.
Unfortunately, you will not understand the output, so try this as well:
samba-tool ntacl get /the top/directory --as-sddl
Rowland
More information about the samba
mailing list